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Introduction 


This guide contains detailed instructions on how to install Linux and setup an 
anti-spam email gateway. If you run a dedicated Internet email server of any 
kind, then you are already fighting with spam. This documentation will provide 
you with a low-cost anti-spam solution that is both web configured and 
managed, using free Open Source Software. 


If you don’t have a firewall, it’s strongly recommended you get one. The 
Piratefish Anti-Spam System is not designed to be any kind of firewall device, 
but basic instructions are included on how to add a firewall into your Piratefish 
Anti-Spam System. 


The Piratefish is intended to be an anti-spam server that any system 
administrator can setup with little to no Linux experience. The Ubuntu Server 
OS is used for this setup because it contains most of the packages needed to 
build a fully working system. 


Having experience with Internet Networking and Windows is very helpful. Just 
work through each step, and follow the instructions and perform the tests as 
you proceed. 


To get started, you will have to download the Ubuntu Server CD-ROM image 
from Ubuntu.com and burn it. Your Piratefish Anti-Spam System will need 
Internet access during the entire build process. Instructions are provided on 
how to change the IP address once the system has been completed. 


Total setup time, not including downloads, is dependent on the skills of the 
reader. For the knowledgeable user with a decent Internet connection and 
networking experience, basic setup with black-hole list protections can be done 
in about 2 hours. 


What open source packages are used? 


The Piratefish Anti-Spam System uses a large number of Open-Source programs 
and tools, way too many to list here in fact. Here’s are the primary packages 
that make the Piratefish work; 


Software Purpose 

Ubuntu Server Edition Base Operating System 

MailScanner Message Processing & Black Hole Checking 
SpamAssassin Message Content Analysis & Bayesian Filtering 
Postfix Send and Receive Mail 

Webmin Remote GUI for System Administration 


A DNS Server Program, caching of DNS and 


Bind ; 

blacklist tests. 
ClamAV An Open-Source Anti-Virus scanning tool 
Logwatch Provides daily reporting on spam activity 


Using Virtual Machines 


If you’re proficient in or advocate the use of Virtual Machines, or VM’s, then you 
might be pleased to note that this edition of the Piratefish was produced using 
VMware ESXi version 3.5. Virtual Machines are the future of server-room 
computing and easy to use and implement. 


If you’re not familiar with VM’s | recommend that you start learning about them 
as soon as possible. VM’s provide an excellent way to build and test 
environments, and they are easy to use, easy to maintain and best of all, free. 


A single server-class machine with one CPU and 2gb of ram can serve as the host 
for up to 4 complete Linux systems. If you’ve ever wondered how you could use 
16gb or 32gb of ram in a single server, Virtual Machines is how. A single 2U 
server with a fast RAID-5 array, two gigabit Ethernet ports, dual Xeon processors 
and 16gb of ram can run 10-20 complete virtual machines, including Windows 
Servers, workstations, remote access servers, mail servers, Piratefish, web 
servers, database servers and even software firewalls. 


There are many different VM systems available for Linux, but my personal 
experience as found VMware to be the superior system in all areas. The only 
disappointment of VMware is its requirement for a Windows-based 
management client. The list of reasons | don’t completely convert to Linux was 
only two items long prior to VMware coming into my life. The other items are 
FPS games and Check Point Firewall-1. 


In addition to the regular support of the Piratefish, | will support those users 
trying to use VMware as well. I’ve been tempted to write an entire book on just 
that subject... 


Materials Required 


A computer (or VM) to dedicate to anti-spam services; 


Note: If you’re planning on heavily using Bayesian filtering, be sure to 
build the system larger and faster. Higher volume email sites should use a 
newer faster computer with at least 1gigabyte of ram. 


¢ Modern Intel or AMD x86 based CPU. Faster is better. 

¢ Atleast 512mb of ram. More is better. 

¢ §=6At least 4gb of disk storage, depending on your logging needs. 

¢ Asupported network card (3Com, Intel, Broadcom, Linksys, Etc.) 

¢ Access to the Internet. Required 

¢ Aworkstation PC with a web browser (your desktop PC will work fine) 

¢ An SSH client (Windows users should search Google for Putty) 

¢ An Ubuntu Server Installation CD. Download and burn it. 

¢ To obtain the Ubuntu Server Installation CD-ROM, you need to visit 
the website http://www.ubuntu.org 


The Ubuntu Server disk image is around 600 mb. Use the 64bit image 
only if your computer is a 64bit system. When it doubt, use the 32bit 
version of the OS. 


Note: For those wanting to get started right away, | recommend that 
folks use the Torrent links whenever possible. Downloading of a 
torrent file such as this can take less than 1 hour, and will virtually 
guarantee a successful download. 


For more information about BitTorrent downloading, please visit 
http://www. bittorrent.org. There are many bittorrent clients available 


for free on the web. 


The Installation Process & Pre-Installation Tips 


The process of building the Piratefish system is broken into separate chapters in 
this guide. The chapters provide detailed instructions on what things one 
should expect to see and what answers will be needed for the various 
questions. 


Each section is logically broken into phases, where each section allows you to 
construct and test each part of the system. After completing Chapter 12, the 
Piratefish is ready for action — but it will still have some deficiencies until the all 
the system setup features have been completed. 


During the development of the Piratefish, the server was brought online 
without Bayesian filtering. It began stopping spams immediately — where once 
100 spams a day came through, the count came down to 15 spams a day. Spam 
was still getting through because all the blocking done was through a 
combination of blacklist servers and simple content scoring. 


Over time the number of spams getting through each day grew as the 
spammers had realized they weren’t getting in and changed their tactics. They 
began to engineer their spam to get around the filters and used non-blacklisted 
servers to avoid the blacklist check. By this time I’d collected plenty of spam 
and ham together - hams are examples of good emails. 


Having a collection of spams and hams before setting up the Piratefish will allow 
you to activate the Bayesian filters right away — see chapter 14. Even after 
setting this system up, spams will still get through — it’s important to collect 
these and re-train your Piratefish often — just to keep it sharp. A minimum of 
200 spams and 200 hams are needed to be learned before the Bayesian filter 
starts to work. 


Bayesian filtering is an automatic feature of the SpamAssassin program used in 
the Piratefish. The folks at the Apache Software foundation recommend putting 


as much ham and spam as possible into your Piratefish system. Another system 
I've had experience with recommends no more than 800 spams and hams. 


The final chapters of this guide cover setting up the Bayesian filter, how to 
prevent email backscatter, how to install a firewall on the Piratefish server itself, 
how to setup and use FuzzyOCR to read image spams and how to change the IP 
address of a running Piratefish server. 


If you run into any troubles during the building and construction of your 
Piratefish, and you have not yet read the Piratefish 4 tuning & support page, 
now is the time to do so. The tuning & support page for this document provides 
updates and advice that wasn’t available at the time this document was written. 


Authors Note 


The Piratefish Anti-Spam Guide is a best effort document. There is no guarantee 
that a screenshot will look the same between the time this document is written 
and the time you read it. Linux changes, life changes, things change. Please be 
sure to try and work through the documentation thoroughly. Doing so will 
reduce headaches later. 


This document is the fourth major revision of this document, and is hopefully, 
the best. | am publishing this edition of the book in Word document form in the 
hope that my readers and supporters will not openly share it or give it away. 
The Piratefish has received much support from the open-source world and its 
users, and | hope to continue this trend. | always try to be a generous, 
reachable and friendly person — so please don’t be afraid to reach out and let 
me know how things are going, ask for advice, Etc. 


If you are reading and using the Piratefish, and didn’t pay for this document, | 
would please ask that you consider purchasing it so that you will receive 
updates to this document as they become available. All Piratefish owners get 
free updates as long as the Piratefish lives. 
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Chapter 1: Installing the Ubuntu Server OS 


By this time, you have chosen the system that will become your Piratefish Anti- 
Spam System. Please be aware that these instructions will erase the hard disk of 
this computer and install the Ubuntu Linux Operating System. 


1. Make sure the computer is plugged into the network and is ready to be 
setup. If you’re setting this up on one IP address, and moving it to another 
IP address when the system is put into production, assistance with changing 
the IP address is provided later in this book. Internet access is required to 
setup the Piratefish, but it’s best to use static IP addressing for your 
Piratefish. 


Using DHCP addressing is possible, but it makes reaching the unfinished 
server more difficult during the construction process. Additionally, once this 
system is put online it must not operate with a DHCP assigned IP address. 
Note that these instructions were written in a DHCP environment, so 
changing the systems IP address afterwards is required. 


Note: Throughout these instructions Linux commands are listed in lower 
case characters. Linux is a case-sensitive operating system. In Linux, it is 
possible to have five different files named "Bob", "BOB", "bob", "bOb" and 
"BoB" all in the same directory. In Windows, bob=BOB=bOb=BoB=Bob. 


2. This installation will need you to provide the following information: 


A hostname for this computer (usually piratefish) 
A username and password 

A root password 

The IP address of the system 

The Subnet Mask of the system 

The Default Gateway of the system 


Oooo 6 


41 
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Having these written down or in your head before proceeding will speed 
the build process. 


Place the Ubuntu Server CD-ROM into : SE 


Amharic Hebrew Polski 


Arabic Hindi Portugués do Brasil 
the computer and boot the CD. Sas ee ae ie 

BearapcKu Magyar Roman’ 

Bengali Bahasa Indonesia PyccKua 

Bosanski Italiano Samegillii 

Catala BAI Slovenéina 


When the CD boots an Ubuntu banner elie gees Son: 
Deutsch StS} Svenska 

screen will appear with a menu of a ieee hate 
Latviski Tagalog 

language options. Choose your language ae eae yatieee 


Eesti Marathi Tiéng viet 

Euskaraz Norsk bokmal Holof 
and press Enter. Sen Nepali CHD 

Francais Nederlands csc (AS) 


Galego Norsk nynorsk 
Gujarati Punjabi (Gurmukhi) 


Choose Install Ubuntu Server and Press 
Enter. 


Now choose your installation language Install Ub 
and press enter. 


Choose your country and press enter. 


FL F2 F3 F4 FS 


Choose your keyboard layout. Please note that the keyboard detection 
works, but is slow and annoying. It’s faster just to choose your preferred 
layout. 


Once you’ve gone through this process, the system will begin loading for 
the installation. This takes a minute or two, as it’s now loading drivers, 
reading the CD-ROM, determining what hardware is installed on the system 
and so forth. 


During this process you may need to setup an IP address for the system — 
otherwise it will detect and configure the network card using DHCP. This is 
acceptable for now, but will be changed later. 


Once it’s done, it will ask for the hostname — enter in a hostname and press 
enter. The hostname should be all lower-case, one work, no spaces or 
special characters. 


Note that this name will match the Internet host name of where all your 
email will be delivered (without the domain name). 


10. Now choose your time zone and press enter. 


11. The system will now detect your storage setup. If you’re using a simple 
hard disk, then you are recommended to use either of the first two options. 


More advanced users might want to perform a manual or more complex 


setup, depending on what kind of disk systems are in use. This book cannot 
go into deep detail on all the options here, but if you’re experienced or 
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12. 


13. 


adventurous, then you might want to look around a bit at each option. 


New users are recommended to use the first option. LVM generally is used 
in situations where a large partition is needed and can be spanned across 
multiple disks - similar to RAID O. Piratefish servers don’t require tons of 
storage — 20gb for most users will be overkill! 


Choose your desired installation disk, and press enter. 


If you choose the recommended setting, you’ll be presented with this 
screen; Choose Yes and press enter. 


pace> selects; <Enter> activates buttons 


14. The system will now make changes to the system partition table, format the 
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new partitions, and begin installing the base system. 


This process will take some time as the files need to be decompressed and 
installed. The installer also performs customization of the system in order 
for it to work optimally with your hardware. 


15. 


16. 


17. 


18. 


19. 


20. 


Once the base install is complete, the system will ask for a user name. Put 
in your full name and press enter. 


The system will then recommend a username — edit or change as desired 
and press enter. 


Now enter your password. Remember that this password will be used 
every time you remotely connect to the system using SSH or log into the 
console. 


When asked about encrypting your home directory, choose the default 
answer of No and press enter. 


If your network requires that you use a proxy to access the Internet, 
configure that now, otherwise choose to continue. 


When asked about how to manage updates, choose to install security 
updates automatically. 
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Note that this will ONLY install security updates — version updates and other 
manjor software updates will still be done manually. This is best done 
manually so as to ensure that you’re aware of any major changes that could 
affect system operations. 


21. When you reach the software selection screen, you should select DNS 
server, Mail server, and OpenSSH server. If you’re building your Piratefish 
ona VMware server, then select Virtual Machine host as well. Select items 
using the spacebar and arrows. TAB over to Continue and press enter to 


continue. 


updates it needs to install the selected software. 


23. When asked about your Postfix Configuration, choose No configuration and 
press enter. 
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24. The system will now download and install itself, and after a few minutes it 
will install the boot loader and announced the installation complete. 


[!!] Finish the installation 
Installation complete 
Installation is complete, so it is time to boot into your new system. 
Make sure to remove the installation media (CD-ROM, floppies), so 
that you boot into the new system rather than restarting the 


installation. 


<Go Back> Cont inue 


Press enter to continue. The system will now reboot itself. 


25. Once the system has rebooted, the console should present you with a 
screen like this; 


fsck from util-linux-ng 2.16 
/dev/sdail: clean, 47815/498736 files, 233004/71994060 blocks 
* Setting preliminary keymap... 
[ 6.792315] ACPI: I/70 resource piix4_smbus [0x1040-0x10471] conflicts with ACP 
I region SMB_ [0x1040-0x104b] 
Starting AppArmor profiles 
Setting up console font and keymap... 
Starting domain name service... bind3 
Starting OpenBSD Secure Shell server sshd 


Starting libvirt management daemon libvirtd 


* 
* 
s 
* 
* Loading kum module 
x 
Ubuntu 9.10 piratefish ttyl 


piratefish login: * Restarting OpenBSD Secure Shell server sshd 


Pressing enter should get the servers attention and present a login prompt. 


This is how a normal boot screen will look on most Linux servers. While it 
may be boring, mastering this ugly environment is worth the trouble. This 
book tries to avoid using the command line, but it cannot be completely 
bypassed just yet. 


26. Now log in using your username and password as entered during 
installation. 


Congratulations — you have logged into your newly installed Linux server. 
At this point you are logged in as you — and you are only a user on your new 
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server — not an administrator. Linux uses a system of privileges to keep 
users isolated from systems functions. In order to elevate your privileges 
on the system, you must enter the commands to do so. 


Enter the command “sudo -s" and press enter. 


Now enter your login password. 


Once you have done this successfully, you will be logged in as the root user, 
and you will be able to do anything you like. | emphasize this because 
anything includes destructive changes in addition to helpful ones. 


Note: Unlike most other Linux distributions, Ubuntu's default setup does 
not have a regular root user. The root user account in Ubuntu does exist, 
but by default the root account is not an account that someone can simply 
log in to. As a security precaution, Ubuntu requires users to log in with 
normal user accounts, and then access root privileges as needed. 


Ubuntu Linux uses a system called SUDO or "Substitute User DO" that 
permits users to gain privileges as needed. For desktop workstations this is 
acceptable, however, this makes management cumbersome on a server. 


In this documentation | provide a how-to on how to bypass Ubuntu's SUDO 
setup for the purposes of easy installation. It is strongly recommended that 
this system is left in place on other systems you create using Ubuntu unless 


absolutely necessary. 


In Ubuntu Linux, the root user's password is unknown to the user, but it can 
be set using a sudo command. Once the root users password is set, users 
can still become root using “sudo —s”, but it will also be possible to become 
root using the "su -" command to log in as root, and root also log in from a 


console. 


27. 


28. 


29. 


30. 


Type "passwd root" and press enter. 

You will be prompted to enter a password for root twice. 
Type in the command 

"cp /etc/apt/sources.list /etc/apt/sources.list.backup" 
and press enter. 

This makes a backup of the Apt Sources file. 


Type in the command "pico /etc/apt/sources.list" and press enter. 


This will load the pico editor and open the file /etc/apt/sources.list 


This file instructs Ubuntu on where to get program files and updates from. 


We're going to change and expand this list to make construction of your 
Piratefish much easier. 


The pico editor uses the arrows, delete key and control keys (listed at the 
bottom of the screen) -- It should be easy to use if you've familiar with 
Windows Notepad. 


Use the arrow keys to find a pair of lines that looks like this: 


# deb http://us.archive.ubuntu.com/ubuntu jaunty-backports main restrict... 
# deb-src http://us.archive.ubuntu.com/ubuntu jaunty-backports main resct.... 


Remove the # from both of these lines so they start like this: 


deb http://us.archive.ubuntu.com/ubuntu feisty... 
deb-src http://us.archive.ubuntu.com/ubuntu feisty... 
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31. 


32. 


33. 


34. 
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Editing of the file is complete. Press Control-X to exit, and type Y and press 
enter to save the file. 


Now type in the command “apt-get update” and press enter. 

The server will now go online and begin downloading updates from Ubuntu. 
This might take some time depending on your connection speed and how 
old the Ubuntu distribution you're using is. Newer Linux distributions need 
to download fewer updates. 

APT stands for "Advanced Packaging Tool" and is used by most Debian- 
based Linux distributions. Ubuntu is one of the most popular Linux 


distributions in the world, and it's a Debian based distribution. 


The APT tools provide a very easy way to download and install software and 
is essential for building your Piratefish server. 


Once the update is complete, you will be returned to the command prompt. 


Now enter the command “apt-get -y upgrade” and press enter. 


This tells APT to download the latest updates, not bother you with 
questions, and install the updates. 


Once the updates are complete, please reboot your server using the 
command “reboot”. 


Once the reboot is complete, perform another “apt-get update” and “apt- 
get —y upgrade” and reboot once again. 


Updating the System 


One fast way to perform updates is to string all the update commands onto a 
single line, like this: 


"apt-get -y update ; apt-get -y upgrade ; reboot" 


This will download the update information, install the updates — and reboot the 
system for good measure. 


Because Linux is open-source software and is maintained by hundreds of people 
constantly, many people are updating their pieces of your system on a constant 
basis. This means that there are almost always updates available. 


Updates aren't always a good thing - sometimes they can break things. Because 
of this, it's best to control when a system updates itself, that way you can be 
prepared for when an update breaks your system. 


Security updates should be installed automatically — this is one place where 


automatic updates are desirable as these can prevent someone from breaking 
into your system. 
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Chapter 2: Installing the packages 


Pre-Installation Note: Typing filenames sucks. We all have to do it when we move 
around in DOS or Linux prompts. But Linux and Windows have some cheats for this - 
automatic path and filename completion. 

Imagine, you're working in Linux, and you need to type out this filename: 


Jetc/MailScanner/spamassassin/FuzzyOcr.words 


Normally, without taking advantage of things, we'd have to just type the entire 
command in like this: 


cat /etc/MailScanner/spamassassin/FuzzyOcr.words 
To take advantage of the Linux completion feature, all one needs to do is press the Tab 
key at times when you're trying to complete a filename or path. For example, in the 
above command: 

cat /etc/Mail{tab}/spa{tab}/Fu{tab}. w{tab} 
Will result in having the full command typed, without typing in the full command. 
Please keep this in mind while you're building your Piratefish server - it's a big help. Just 
remember, it only works on the local console or in SSH sessions, not when using the web 


interface. Also, if it doesn’t work — then that file or path might not exist yet — or perhaps 
you’ve mis-typed something... 


1. Log into your Piratefish server as root. 
2. Enter the command “apt-get remove —y apparmor” and press enter. 
This will remove a package called App Armor that causes more trouble 


than it’s worth. App Armor enforces file permissions based on a limited 
rule set that doesn’t take into account cross-discipline execution — 
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simple things like a spam-scanner running an anti-virus scan, for 
instance, become a headache when this program is installed. 


Type in the following command; 


apt-get -y install mailscanner spamassassin clamav logwatch 
spfquery tesseract-ocr* gifsicle imagemagick ocrad 


and press enter. 


The system will now go online and retrieve the requested software. 
This will take a few minutes as this software is first downloaded, along 
with all the needed dependencies, and then everything is installed in 


order, and configured. 


Once this has completed, we need now to download and install 
Webmin. Webmin is a GUI program that is distributed from the website 
http://www.webmin.com 


Unfortunately, the Webmin site uses a relatively complex site-mirror 
setup, and downloading the needed files directly into your new Linux 
system is more troublesome to describe than it is to instruct the reader 


on how to use SCP, or, Secure Copy. 


Go to http://www.webmin.com now and click on the Debian Package 


link on the right-hand side of the screen click. This will start the 
download — save this file onto your PC’s hard disk. 


Next, we need to copy this .deb file into your new Piratefish system. 
This is not hard if you’ve already figured this out, however, for many, it 
can be an insurmountable problem. First, l’ll answer this question as 
though you’re already experienced with the scp command -— this next 
step will work on any Mac running OS X, and most Linux workstations 
without trouble. 
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scp *.deb username@systemip:/home/username/ 


This might be a big confusing, so let’s break it down a little bit. 


scp - This is the secure copy command 
* deb - This references the webmin installation file 
username Replace this with the user name you created 


@systemip This should be replaced with the IP address of your 
Piratefish server. If you did not set one because you are using DHCP, 
then you will need to issue the command “ifconfig ethO” to see what 
your Piratefish’s IP address is. 


:/home/username/ This path refer’s to the home directory of your 
user on the Piratefish system. 


So, if | had created a system on the IP address 192.168.1.211, and my 
username was john, l’d copy the file using this command: 


scp *.deb john@192.168.1.211:/home/Jjohn/ 


If this command works on your system, then you may wish to skip 
ahead to step 12, as the following section is for Windows users. 


Adding SCP to Windows Systems 


If you are a PC user, you should be aware that SCP is not included with 


your Windows operating system. If you downloaded the Putty 


complete package (google for it), then you have an SSH client and an 


SCP program. The problem is, they’re not linked into your system yet. 


To get the full benefit of having Putty installed on your system, | have 


user two successful tricks that permit me to use these Linux commands 


in Windows, the same way they’re used in Linux. 


First, | recommend adding the putty 
installation path into your DOS environment 
path variable so that putty commands are 
available every time you type a DOS 
command on your PC. 


This can be accessed by clicking on your start 
menu, right-clicking the My Computer icon 
and choosing Properties. Now click on the 
Advanced tab and click on the Environment 
Variables button on the lower right. 


Double-click on the Path section in the lower 
window pane. 


Add the path for Putty as shown to the end 
of the last line. Be sure to separate the 
existing path from the new addition using a 


semicolon; 


System Properties 


System Restore Automatic Updates 
General || ComputerName | Hardware | += Advanced 


Environment Variables 


User variables for John 


Variable Value 
TEMP C:\Documents and Settings\John\Local ... 
TMP C:\Documents and Settings\John\Local ... 


New Edit Delete 


System variables 


Value 
Pant 
Windows _NT 


C:\WINDOWS\system32;C: \WINDOWS;... 
«COM; .EXE;.BAT;.CMD;.VBS;.VBE;.JS;.... 
PROCESSOR_A... x86 M4 


New Edit Delete 
Cx 


Edit System Variable 


Variable name: | Path 


Variable value: [ Time’ \QTSystem\;C: Program Files PuTTY\, | 


Once the new addition to the path is complete, click on OK until all the 


windows are closed up once more. 
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10. 


11. 


12. 


13. 


From this point on, if you open a new DOS window on your windows 
system and type “putty” — the Putty window will appear. 


Now open the folder containing the Putty installation on your windows 
system. It should be something like c:\program files\PUTTY\ 


Using the right mouse button, drag and drop the putty.exe file within 
the same folder — a menu will appear — choose “copy here.” 


Now right-click the copy of the file and rename it to “ssh.exe” 


Do this for pscp.exe — renaming it to scp.exe, and for psftp.exe — 
renaming it to sftp.exe 


Once this is done, you can use ssh, scp and sftp from the command line 
at will. 


Now close any existing DOS window, and open a new one. 


Authors Note: SSH, SCP and SFTP are amazingly powerful replacements 
for FTP and Telnet. All three of these commands use the same TCP port, 
and all communications are encrypted. Anyone thinking of using Telnet 
or FTP should reconsider and use SSH instead. 


Now enter in the command, as shown, in step 5 of this Chapter, and as 
long as you started in the same folder where the Webmin file is, the 


Webmin file should now be copied into your Piratefish server. 


Now, back on the Piratefish server, logged in as root, enter this 
command: 


mv /home/username/*.deb . 


14. 


15. 


This will move the file you just uploaded to the server from your user 
directory 


Now we will attempt to install webmin — note that the following 
command will fail, but with some helpful results. 


Author’s Note: Long ago when installing software in Linux, a person had 
to work out the dependencies —and the dependencies’ dependencies, by 
hand. The package management tools available now take on this 
struggle so that you don’t have to. Know, that as you complete these 
next few steps, Windows can’t do this... 

Enter the command: (press the TAB key when [tab] appears) 


dpkg -i webmin[tab] 


and press enter. The computer will think for a few moments and kick 
out some errors. This is expected. 


These errors are reporting that other packages are required to install 
Webmin properly. The dpkg command isn’t smart enough on its own to 
solve this problem, however, apt is. 

Enter this command: 

apt-get -f -y install 


and press enter. 


The system will now retrieve the needed packages and install them, 
then complete the installation of Webmin for you. 
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Note the message at the end of the installation window: 


Webmin install complete. You can now login to https://piratef ish:10000/7 
as root with your root password, or as any user who can use sudo 


to run commands as root. 


16. On your PC workstation, open your web browser and access the URL as 
listed in your Webmin installation. If DNS is not working, use the IP 


address of the server instead. 
https://piratefiship:10000 


You will likely see some encryption errors — ignore them and continue 


into the site. 


17. Log into this server as root with the root password setup previously. 


Chapter 3: Getting started with Webmin 


If you are successful in logging into Webmin on your Piratefish server, you will 
be presented with a screen that looks like this: 


Login: root 

Webmin ¢y a 

2 San webmin 

Servers 

@ Others 

Networking System hostname __piratefish. 9kv.com 

Hardware Operating system —_ Ubuntu Linux 9.10 

@ Cluster Webmin version 1.490 

Un-used Modules Time on system Sun Nov 22 14:55:30 2009 

Search: | Kernel and CPU Linux 2.6.31-14-generic-pae on i686 
System uptime 26 minutes 

-- View Module’s Logs CPU load averages 0.21 (1 min) 0.12 (5 mins) 0.12 (15 mins) 

‘“ System Information Real memory 1002.47 MB total, 160.84 MB used 


& Refresh Modules 
(o) Logout Virtual memory 400.02 MB total, 0 bytes used 


Local disk space 7.49 GB total, 1.50 GB used 


Congratulations! If you’ve made it this far, then it’s time to take a break. Go 
ahead and explore the various menu options — please do try not to make any 
changes yet — just get the feel of the GUI, go ahead and click on the Install 
Updates Now button as well. 


Once you’ve gotten your eyeful of how Webmin works, and seen the wonders it 
holds, we’re ready to move on with the installation. It’s important that you are 
comfortable in this management interface as this is where much configuration 
work is going to take place. 


To return to the home screen, just put the cursor up on the URL line and press 
enter — and you will be returned to the home screen. 


1. Open the Webmin menu on the left and click Webmin Configuration. 
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2. Click on the Webmin Modules icon “Webmin Modules 


3. Check the radio button next to “Third party module from” and click on 


the |...| button. Scroll down to MailScanner and click on it. 


4. Now click on the |Install Module| button. 


Webmin should now download and install the MailScanner 


management module. 


5. Now open the Servers menu on the left and click on MailScanner. 


An error will appear complaining that the MailScanner command was 


not found on the system. 


6. Click on the Module Configuration link. 


7. Now fill out the following spaces in the module configuration: 


Full path to MailScanner program 


/usr/sbin/MailScanner 


Full path and filename of 
MailScanner config file 


/etc/MailScanner/MailScanner.conf 


Full path to the MailScanner bin 
directory 


/usr/sbin/ 


Full path and filename for the 
MailScanner pid file 


/var/run/MailScanner/MailScanner.pid 


Command to start MailScanner 


/etc/init.d/mailscanner start 


Command to stop MailScanner 


/etc/init.d/mailscanner stop 
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8. 


Once filled out, the form should look like 


this: 


Configuration 


For module MailScanner 


Configurable options for MailScanner 
System configuration 


Full path to MailScanner program 

Full path and filename of MailScanner config file 
Full path to the MailScanner bin directory 

Full path and filename for the MailScanner pid file 
Command to start MailScanner 


Command to stop MailScanner 


@ Return to index 


Now click on the | Save | button. 


Just/sbin/MailScanner 


Jetc/MailScanner/MailScanner.conf 


Just/sbin/ 


/var/run/MailScanner/MailScanner.pid 


© Just run sever © ‘c/init. d/mailscanner start 


/etc/init.d/mailscanner stop 


If you were successful, then you should be presented with a MailScanner 


GUI page like this: 


Login: root Module Config 
@ Webmin 
D system 
G Seners 
BIND DNS Server 
Dovecot IMAP/POP3 Server 
MailScanner 
Postfix Mail Server 
Procmail Mail Filter 


MailScanner - SMTP E-Mail Virus 


Search Docs. 


Scanner 


MailScanner 


ee | 

Read User Mail I I 

SSH Server atts 

SpamAssassin Mail Filter System settings Incoming Work Dir Quarantine and Archive Processing incoming 
G Others settings mail 
G Networking = 
G Hardware a o) NA 
G Cluster = E 
@ Un-used Modu 


Virus scanning and 


Search: ] Vulnerability testing 


AX View Module’s Logs 

4 System Information 

S Refresh Modules 
Logout 


Attachment filename 
checking 


7 


Sophos Anti-Virus 


Report and responses 


O 


ClamAV Anti-Virus Remove offensive 


content 


ieee 
Changes to message Changes to the 
Subject: Line 


[ om = 


If you see this, then you have installed all the software needed to build your 


Piratefish Anti-Spam System. The next chapters will begin the process of 


configuration and testing. Congratulations. 
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Chapter 4: Configuring the Postfix Mail Server 


In this chapter, you will be guided through the setup of the Postfix mail server 


software itself. This software is already loaded onto your Piratefish; however, it 


had not yet been configured. 
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Open up a console screen on your Piratefish server and log in as root. 


Type dpkg-reconfigure postfix and press enter. 


Press TAB and enter to choose okay. Scroll down to Internet Site and 
press enter. 


Enter the system mail name. This name should reflect the full DNS 
name that this Piratefish server will have on the Internet. 


Enter the email address of the person who will get emails sent to the 
Piratefish root user. Be aware that this can generate a good amount of 
messages — many might be happier if this was left blank. Fill in an email 
address or leave it blank as desired. Press Enter. 


The system will now ask for what locations (or domains) to accept email 
for. BE CAREFUL!! You should not need to change the defaults that 
appear here — your domain should not be listed, but the server’s full 
DNS name should be. 


If a domain name is listed in this box, remove it. Domain names here 
will make the system think it’s the mail server for those domains. The 
mail needs to pass through, not be delivered here. 


Make sure that only your server DNS name and localhost are listed and 
press enter to continue. 


When asked about synchronous updates — if you’ve chosen the default 
file system, which happens to be ext3, then it’s safe to choose <No> and 
press enter. 


Next you are asked about what network address blocks are trusted for 
relay. Filling this in correctly is critical, because a mistake with this 


setting could turn your anti-spam server into a spam relay, and this 
would be somewhat counterproductive. 


Just to clarify things a bit, that list of local networks contains the obious 
IPv4 localhost network — 127.0.0.1/8 — but it also contains a few extra 
less common network definitions — these are IPv6 local networks. 


| recommend not changing any of this, however, you should add some 
items onto the back end of this — namely the network you use in-house 
on your own equipment. My office network happens to use a couple of 
networks, and they appear like this: 
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10. 


11. 


12. 


In my case, I’ve added the 192.168.1.0/24 network, and the 10.0.0.0/22 
network. Any mail sent into the Piratefish from these networks will be 


accepted for delivery without any anti-spam considerations. 


For more information about this setting, see the Appendix for the section 
titled Configuring Trusted Relay IP’s for 2-way Operation. 


Next you will be asked about using procmail for local mail delivery. 
Choose <No> and press enter. 


When asked about mailbox size limitations, just press enter to accept 
the default value of 0. 


When asked about the local address extension, just press enter the 
accept the default value. 


When asked about Internet protocols to use, leave all selected and 
press enter. 


Once you’ve gotten this far, postfix will complete its installation and 
start the postfix daemon. 


13. Now let’s return to the Webmin console; 


Open the Servers menu (on the left) and click on Postfix Mail Server. 


g 


14. Click on the Transport Mapping icon, 10:90" mapping 


15. In the field next to Transport mapping lookup tables click the radio 
button next to Map specifications and fill in field with 
hash:/etc/postfix/transport as shown. 


Module Inde: 4 
a Transport Mapping 
Transport Mapping 
Transport mapping © No map set 
ne cee © Map specifications _ 
|hash:/etc/postfx/transport | = 
Save and Apply 


(No map is currently defined. Define a map first, then you can edit it) 


@ Return to Postfix configuration 


Click on | Save and Apply | once this is filled out. 
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16. Click on the Transport Mapping icon again. tsp" Mapeing 


17. Some new buttons will now be visible. Click on|Edit Map Manually |. 


18. In the edit window that appears, enter in each of the domains and their 
associated mail servers. This is where you instruct the Piratefish anti- 
spam gateway to deliver messages for each of the domains it serves. 


Module Index Edit Map File 


Use the text box below to manually edit the mappings in /etc/postfix/transport. Be careful, as no syntax or validity 
checking will be done 


cp: [192.168.1.224] _ 
:[192.168.1.224]]| 


35 


36 


19. 


20. 


21. 


Every Internet domain for which your Piratefish system will provide 
anti-spam filtering should be listed in this file. The IP address following 
each domain is the IP address of the email server that should receive 
messages once they’ve been processed. 


Once you are done editing the map file, click on the | Save | button. 


Now click on the link at the bottom to Return to the Postfix 
configuration and then click on the SMTP Server Options icon. _ sup sever options 


Edit the field labeled SMTP greeting banner. Replace the (Ubuntu) from 
this header — there’s no need to advertise what operating system you’re 
using. Leave all the other parts of the banner intact, but feel free to add 
any message or other item onto the end of the line. 


This banner is presented to every mail server that connects to your 
Piratefish to deliver email. Putting Piratefish into the header is okay, 
but this might be helpful to spammers. | try to keep it light, so in those 
rare occasions where I’m debugging with someone else and they 
happen to read it, they’Il laugh — and | know what they’re talking to. 


SMTP Server Options 


SMTP greeting banner O Default © 


$myhostname ESMTP $mail_name (Brannigan's Law) 


Find the section labeled Restrict mail relaying. Check the radio button 
on the right, and fill in the domain names for which your Piratefish will 
be relaying, separated by commas. 


Restrict mail relaying O Default £3 
|pointswitch.com,piratefish.org 


Click on | Save and Apply | once you have finished. 


22. 


23. 


% 


Now click on the General Options icon. ene! Options 


In this section you can review all of your previous settings done at the 
beginning of this chapter. Make any updates you feel are necessary. 
When in doubt over a setting, don’t hesitate to click on the setting title 


itself, as this will pop up a description of what is expected in that field. 


Do not change anything here that you’ve not already set or changed in 
the earlier parts of this chapter. Do not change timings, or defaults. 


If you filled out everything correctly in the early part of this chapter, 
then nothing here needs to be changed. It’s important that we keep 
things as “un-tweaked” as possible at this point, because we need to 


ensure that things are operating as they should. 


Once you are done here, click on the |Save and Apply | button. 


Now click on the | Stop Postfix | button at the bottom of the page. Once 


the screen finished refreshing, click on the | Start Postfix | button at the 


bottom. 


Once this is completed, you should have a working email relay for your 


domains — this does not mean you have a working spam-server, but it does 


mean that you’re ready to test the mail server. 
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Chapter 5: Sending a test message 


In order to build the Piratefish as painlessly as possible, testing is very important 
after each section is completed, or as each feature is implemented. Until your 
anti-spam system is finished, frequent testing is critical as it will isolate and help 
identify what was most recently done that is likely to be causing problems. 


Testing the Piratefish server is done by impersonating a mail server, using telnet 
to “send” a message through the SMTP service. 


For those of you who make mistakes in typing, this is the one place that 
backspace is not to be trusted. Internet services, like SMTP, are made to deal 
with machines that never make mistakes — so these services aren’t coded to 
handle backspaces. If you miss-type a command, you can usually press enter 
and then try typing that command again. If you really mess up, you can always 
type quit and restart the testing process. 


In the following example, we send a message to bob@piratefish.org from 
kim@aol.com. In your testing, please send the test message to your email 
address or a valid email address on your existing mail server — any email address 
in the world can be used as the senders address right now. 


To perform this test, be at the Linux command-line console of the Piratefish 
server you’re building. This can be done remotely though an SSH session as 
well. 


Here is a sample email session. Each section shown in bold is something that 
you should type during the test: Be sure to change bob @piratefish.org to your 


email address; 
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root@piratefish# telnet localhost 25 
Trying 127.0.0.1... 

Connected to localhost.localdomain. 
Escape character is '4]'. 

220 piratefish.9kv.com ESMTP Postfix (Brannigan’s Law) 
helo localhost 

250 piratefish.9kv.com 

mail from: kim@aol.com 

250 Ok 

rcpt to: bob@piratefish.org 

250 Ok 

data 

354 End data with <CR><LF>.<CR><LF> 
Subject: Test Message 

This is a test. 


250 Ok: queued as B836654035 
quit 

221 Bye 

Connection closed by foreign host. 


If the test was successful, then you should receive a test message in your 
mailbox, from someone named kim@aol.com. 


If you receive any errors, please be sure to double-check your settings as shown 
in the preceding chapters. 


As you can see, sending email from the command line is easy — and this is one of 
the reasons why spamming is so prevalent — the sending of email is an 
unauthenticated process. In this test example, we claimed to be kim@aol.com, 
but we’re not her. This is how email addresses are forged throughout the 
Internet. Email headers show the IP address where the message came from, but 
unfortunately they do not tell us who actually sent it. 


Chapter 6: Configuring & Integrating MailScanner 


MailScanner is the core of Piratefish anti-spam operations. The Postfix mail 
server portion of the Piratefish is responsible for sending and receiving email. 
The MailScanner daemon is a background process that scans for email as it’s 
received and then it performs tests on those messages before handing them 
back to the Postfix mail server for delivery. 


MailScanner uses a flexible set of rules to determine what should be done with 
spam, and it also launches another daemon called SpamAssassin to provide 
more in-depth analysis of the messages themselves. 


1. Select the Postfix Mail Server link from the left-side Servers menu. 


2. Click on the Header Checks icon. | teaser checks 


3. Click on the Map Specifications radio box. In the MIME header 
checking tables blank space, fill out the following: 


regexp:/etc/postfix/header_checks 


Click on|Save and Apply | once done. 


Header Checks 
MIME header checking © No map set 


tables ® Map specifications 
‘regexp:/etc/postfix/header_checks Lisal 
Save and Apply 


4. Click on the Header Checks icon once more. _ teaser checks 


5. Click on the Add a new mapping link. 
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In Description field, enter Hold for MailScanner 


In Regular expression, fill in /A~Received:/ 


In Action for matches, choose Place in hold queue (with log message) 


Click the | Save Mapping | button. 


This will return you to the Header Checks screen. 


Click on the | Save and Apply | button. 


In the left-side menu, select MailScanner 


Click on the System settings icon. — svm settings 


Fill out the System Settings as shown; 


Fill out the Organization Name, Long Name and Website fields. 


Change the User to run as and Group to run as to postfix as shown. 


Change the Incoming queue dir to /var/spool/postfix/hold 


Change the Outgoing queue dir to /var/spool/postfix/incoming 


Change the Email Package to /usr/sbin/postfix 


Once these changes are made, click on the | Save | button — the screen 


will flash but not change back, so click on the Module Index link at the 
top of the page to exit this section. 
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Module Index 


Reports directory 
MailScanner.conf directory 


Rules directory 


System settings 


© Default © 
© Default © 
© Default © 


Message Content Protection directory © Default © 


Organisation Name © Default © |Pointswitch.com 

Organisation Long Name O Default © |Pointswitch Networks 

Company Website © Default © |www.pointswitch.com 

Maximum number of child forks O Default ©{1 Ss 

User to run as © Default © postix 

Group to run as © Default © postix 

Queue Scan Interval O Default ©/6 | 

Incoming queue dir © Default © | /var/spool/postfix/hold 

Outgoing queue dir O Default © |/var/spool/postfx/incoming _—s 
Incoming work dir O Default © ||var/spool/MailScanner/incoming | 


Quarantine dir 


© Default © 


Jetc/MailScanner/reports/en 


/etc/MailScanner 


Jetc/MailScanner/rules 


Jetc/MailScanner/mep 


/var/spool/MailScanner/quarantin: 


PID File © Default © | /var/run/MailScanner/MailScanne! 
Restart Every © Default © 7200 | seconds 

Email package © Default © |/usr/sbin/postfix 

Location of sendmail program O Default © Jusr/sbin/sendmail 


Commandline delivery options 


© Default © 


Just/sbin/sendmail -DOUTGOING 


HU 


HUH BU 


10. Next, you must fix the MailScanner startup script so that MailScanner 
can run. 


The startup script that MailScanner comes with contains a hard-coded 
do-not-run directive in it. This directive must be removed in order for 
the program to run. 


To make this change, we’ll be using a file manager and editor that are 
built into Webmin. This program will be used quite a bit in the upcoming 
steps, so don’t close it until we’re done. 


Open the Others menu on the left. Select File Manager. 
You may see the following dialog, depending on your system: 


Warning - Security 


The web site's certificate cannot be verified. Do you 
want to continue? 


Name: 192.168.1.211 
Publisher: * 


Lo} 


WU The certificate cannot be verified by a trusted source. More Information... 


Click on the} Yes |button. Now the Java applet will load. If your PC 


doesn’t have Java installed, you can get it free from Sun by visiting 
http://www.java.com. 


Once you’ve connected successfully, you'll see a file manager screen. 


Above the right-hand side of the screen is a single-line navigation area — 
click on it and type in /etc/default and press enter. 


/etc/default History 
/ Name size User Group Date A 


| acnid 514 B root root sen/08 
Now click once on the mailscanner file to highlight it, as shown. 
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Suen giat Sasa wae ae pee apie 
[ linux-restricted-mo 823 B root root 26/Mar 
| locale 19 B root root O7/Sep 
| mailscanner 657 B root root 17/Feb 

ntpdate 456 B root root 20/Mar 
| res 284 B root root O7/Sep 
| rsync 1 KB root root 26/Feb 
| spamassassin 908 B root root 25/Feb 
aah 201 Do vane vant 20 fTan 


s 


Now click on the Edit icon on the top of the toolbar. — =aix 


A popup window will appear for editing the file, like this: 


B Editing /etc/default/mailscanner 


# 
# This sets how many days files will remain in the “quarantine” area before 
# being automatically removed. 


q_days=7 


# 

# This sets how much the priority of the mailscanner daemon should be 
# reduced by (i.e. “nice -X"). Since it is a batch oriented task, 

# there it can easily give up some CPU cycles to more interactive 

# tasks. On a system with the main-task to scan mails set this to 0. 
+ 

run_nice=2 


# 

# Uncomment this line once MailScanner has been fully configured. 
+ 

#run_mailscanner=1 


# 

# Lockfile to inform scripts if MailScanner was stopped by hand 
# and should not be started automaticly 

# 

stopped_lockfile=/var/lock/subsys/MailScanner.off 


[” Windows newlines D>. [a] ring VS s| W Save & con @--- 


Be sure that the Windows newlines box is not checked. 


11. 


In the window, look for a line that reads: 

#run_mailscanner=1 

Remove the # sign in front of the line so that it reads 
run_mailscanner=1 

In Linux, removing a Pound # sign from the front of a line is known as 
“un-commenting” something.Pound # signs appearing ina script file or 


configuration file are normally considered comment lines and are 
ignored by most programs. 


Click on the Save & Close button. W Save & Close 
Creating a SpamAssassin spooling folder. 


In the Webmin file manager, click on the path bar and type 
/var/spool/MailScanner and press enter. 


| vars spool/MailScanner 


Pd Name Size User Group Date 
Go archive 4 kB mail mail 17/Feb 
@ incoming 4 kB mail mail 17/Feb 
G@ cqarantine 4 kB mail mail 17/Feb 


Now click on the New Folder icon x» inthe toolbar and add 
spamassassin to the current path as shown. 


New Directory Ce) 


New directory: | /var/spool/MailScanner/spamassassin 


A Create Qene 
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Click on Create button to create the new folder. WS cesses 


12. The MailScanner spool folder needs to have its ownership corrected in 
order for Postfix to write changes within it. 


Click on the path bar and type /var/spool and press enter. 


/var/spool History 
/ Name Size User Group Date 
a cron 4 kB root root O7/Sep 
@ curs 4 kB root root 08/Sep 
mail 7B root root O7/Sep 
MailScanner 4 kB mail mail 08/Sep 
a postfix 4 kB root root 10/Sep 


9) 
Highlight the MailScanner folder with a single click; select the Info <= 
button at the top of this window. 


EB ivar/spool/Mailscanner —_(E |(E)[) 


The info box will appear. Make the following 


Nar/spool/MailScanner 
changes; Se 

7 4096 
Modified: Tue Sep 08 20:42:45 MDT 2009 


Change the Permissions so that Group has its Write ee 
box checked. 


Other. [” ReadI” Write [ List 
Sticky: [7 Only owners can delete files 
Octal: |0770 | 

teed) 


Change the User to postfix ownership 


User | postfix 


Group: | postfix 


Setgid: |” Files inherit group 
Cha nge the Group to postfix Directory size 
Total bytes: 
Total files: 
Total directories: | 


In the Apply changes to section, choose 


Apply changes to ——s 
[This directory and all subdirectories v) 


QD vw Bise WA sx @- 


This directory and all subdirectories 


Click on the Save button. WO o- 


13. 


14. 


The postfix spool folder needs its permissions 
corrected as well. 
Highlight Postfix folder with a single click; select the 


(e} 


Info <> button at the top of this window. 


The info box will appear. Make the following 
changes; 


Change the Permissions so that Group has its Write 
box checked. 


Change the User to postfix 
Change the Group to postfix 


In the Apply changes to section, choose 
This directory and all subdirectories 


Click on the Save button. WV om 


/yar/spool/postfix 


Eek) 


File 
Path: Nar/spool/postfix 


Type: Directory 
Size: 4096 
Modified: Thu Sep 10 22:06:51 MDT 2009 


Permissions 
User. Iv Read|¥ Write IV List 


Group: IV Read|v Write Iv List 
Other’ Iv Read!” Write Iv List 
Sticky: J” Only owners can delete files 
Octal: [0775 


Ownership 


User: postfix 
Group: postfix 


Setgid: [~ Files inherit group 


Directory size 
Total bytes: 


Total files: 
Total directories: 


Apply changes to : 
This directory and all subdirectories 


QD x Size| WS ve x ee 


The MailScanner Lib folder needs to be corrected as well. 


Click on the File Manager path bar and type /var/lib and press enter. 


6] 


Highlight the MailScanner folder with a single click; select the Info <= 


button at the top of this window. 


A popup window will appear once again. 


Change the Permissions so that Group has its Write box checked. 


Change the User to postfix 
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Change the Group to postfix 


In the Apply changes to section, choose 
This directory and all subdirectories 


F3 /var/lib/MailScanner Ee\&) 


File 
Path: Nariib/MailScanner 


Type: Directory 
Size: 4096 
Modified: Tue Feb 17 15:53:17 MST 2009 


User [¥ Read|¥ Write Iv List 
Group: I¥ Read|¥ Write Iv List 
Other. [ Read!” Write I” List 
Sticky: [ Only owners can delete files 
Octal: |0770 


Ownership 
User: postfix 


Group: (postfix 
Setgid: [ Files inherit group 
Directory size 

Total bytes: 

Total files: 

Total directories: 


Permissions 


Applychangesto” © +4 
[This directory and all subdirectories a 


BD vor sine] J 220 Jems 


Click on the Save button. WO = 


15. Open the System menu on the left, select Bootup and Shutdown. Find 


the button labeled | Reboot System | and use it to reboot the system. 


16. Once the server has rebooted, test once more as you did in Chapter 5. 
If this test works, then move on to Chapter 6. 


If testing fails... 


Re-check all steps and menu’s that you touched in Chapter 6. Check every box 
carefully and make sure everything matches what is shown. 


The most common mistakes made in this section are the setting of permissions 
as described in steps 10 through 15. Be sure to check those checkboxes! 


High Performance Tuning Adjustments 


Getting more performance out of a Piratefish isn't necessary for most small- 
scale deployments, but there are cases where things should run a bit faster than 
default. If you get more than 1000 messages per hour, then these tips should 
help keep you out of trouble and help the Piratefish keep up with the workload. 


The default timings in the Piratefish can add as much as 15 seconds of additional 
latency between the times a message is received and when it’s queued for 
delivery to your mail server. Part of this latency is the time taken to actually 
perform the spam tests. One step towards speeding things up is done by 
default during the installation — the inclusion of the Bind program for DNS 
lookups and caching. Bind caches the DNS-based MailScanner black-list checks 
as though they were normal DNS lookups 


When tuning for performance, it's important to watch things like the mail queue 
(done at the command prompt with the mailq command) and make sure that 
messages are leaving the queue as faster than they're coming in. 


There are Linux tools for watching the system - one favorite of mine is called top 
which has the ability to watch the system and see what its doing and what 
processes are taking the most of the system resources. 


Linux observer's note: When you examine the RAM in use on a Linux machine, this number will be 
continually climbing. This is a normal behavior of Linux as it will cache all the disk index files in 
RAM as they are used. This speeds up disk access quite a bit, but can be disconcerting when you 
look at top and see 100% of RAM in use. Fortunately, the caching process drops the lesser used 
cache entries from RAM as programs declare their need for RAM. 
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To learn more about any command, simply use the man command to read it's man page. 
The command man top — will provide ample information about top and how it works. 


As for the changes shown here, remember that any changes to settings require 
you to bounce the MailScanner process - and MailScanner doesn't bounce as 
kindly in Linux through Webmin as it should. This means that you'll get better 
bouncing through direct console or SSH access than you will with Webmin 
controlling it - or you can just reboot the Piratefish. Just because your main mail 
relay is offline for a few minutes doesn't mean that you'll miss messages - it just 
means that the messages that didn't make it will try again a little later. 


MailScanner Module Tuning Options 


Maximum number of child forks 


This value should be roughly set to 5 forks per processor, or 4 forks per core. 
So, for instance, if you have two dual-core CPU's, you can set the number of 
child forks to 16 - four per core. If you're running your Piratefish on a dual-CPU 


quad-core setup, the numbers say that 32 forks is acceptable. 
Queue Scan Interval 


This defaults to 6 seconds. Lower this to 3-4 seconds on systems having more 
work to do. Ina large multi-CPU setup, running this with 2 may be okay as well, 
but only in the most high-performances cases. Setting this to 1 on really busy 
systems is mandated, but be sure to increase the number of child forks. 


Postfix module Tuning Options 
Max number of parallel deliveries to the same destination 


This defaults to 20. If you're getting messages at 1000 per hour, this number 
hits around 75% - and that's assuming uniform delivery density which is very 
unlikely. This should be raised to something higher, just remember not to 
overdo it. Setting this to 50 is probably a good next step, but probably not good 
if it has to top 100. Current recommendations are to keep this around 10. 
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Initial concurrency level for a delivery to the same destination 


This default of 5 can be raised as needed. For a site getting more than 1000 
messages per hour, raising this to 20 should be okay. For more performance, 
raise it higher - but try to keep this below 100 as well. 


Min time (secs) between attempts to deliver a deferred message 


This sets the system to wait 1000 seconds (16.6 minutes) between delivery 
attempts when a message has been deferred. A deferral is a short term 
undeliverable, and 16 minutes isn't a bad time setting. If you need things done 
faster, setting this to a lower number will make the Piratefish deliver messages 
more aggressively. It is recommended that this number not be lowered below 
300 seconds due to problems that might be caused with greylisting services. 


More information on greylisting is provided in the greylisting chapter. 
Time (secs) between scanning the deferred queue 


If you have lowered the time between attempts above, lowering this time is also 
recommended. If you want mail delivered as fast as possible due to high 
volumes, lowering this down to 60 seconds might be reasonable - however, this 
is a setting that should be watched. 


Max time (secs) between attempts to deliver a deferred message 


When a message is not delivered for any reason, it is deferred. Each time a 
message is deferred, the time between delivery attempts increases. If you have 
a large backlog of undelivered messages, raising this will reduce the amount of 
time the server spends trying to deliver the undeliverable message. For the 
purposes of higher performance delivery, setting this higher might reduce the 
workload if you're receiving a lot of messages that can't be delivered. 


By 


Automated Permissions Correction 


Final note: In the Troubleshooting section at the end of this book, there’s a 
section that documents using the postfix set-permissions command as root to 
manually correct any permission errors one might see in the logs. 


Fixing the Insecure dependency error in SweepOther.pm 


In Ubuntu 9 and 10, an error has been reported in some installations that 
reports the following error: 


File checker failed with real error: Insecure dependency in exec while running 
with —-T switch at /usr/share/MailScanner//MailScanner/SweepOther.pm line 
374. 


This error happens due to the folks at Cannonical (the people who maintain 
Ubuntu) not updating the MailScanner package to the latest version — they 
consider MailScanner to be part of the universe packages, and not actually 
something to keep updated as a primary package. Folks can likely relate to their 
point of view from a financial perspective, but we don’t have to like it. 


To make this correction, you need to manually update the MailScanner with the 
installation package from Debian, which is the source-distro for Ubuntu anyway. 


This fix is suggested for ALL Piratefish users. Without this, you may see errors 
and experiencing queue looping, where messages never seem to get processed. 


1) We need to download the latest version of the MailScanner package 


from Kernel.org. 
On your windows computer, open the following URL: 
http://mirrors.kernel.org/debian/pool/main/m/mailscanner 


On this page you will see a lot of files listed, like this: 
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Index of /debian/pool/main/m/mailscanner 


Name Last modified Size 


Parent Directory ce 
12-Dec-2006 14:02 30K 


mailscanner 4.55. 3.diff.qz 

mailscanner 4.55. 3.dsc 12-Dec-2006 14:02 636 
mailscanner 4.55. 3_ali.deb 12-Dec-2006 14:02 499K 
mailscanner 4.55. -orig.tar.qz 04-Dec-2006 06: 507K 
mailscanner 4.79. 2.debian.tar.qz 14-Apr-2010 0 44K 
mailscanner 4.79.11~-2.dsc 14-Apr-2010 03:34 1.1K 
mailscanner 4. 2_alil.deb 14-Apr-2010 03:34 696K 
mailscanner 4.79.11.orig.tar.qz 19-Feb-2010 21:38 798K 


On this page you want to find the latest .deb file for MailScanner. 


In this case, the filename is: 


mailscanner_4.79.11-2_all.deb 


Now use the wget command on your Piratefish to download this “deb” 
package. Enter the command: 


weet http://mirrors.kernel.org/debian/pool/main/m/mailscanner/mailscanner_4.79.11-2_all.deb 


The file will download immediately. 


root@piratef ish: # 
root@piratefish:~# uget http nirrors.kernel .org/debian/pool/main/m/mai lscanner 
/mailscanner_4.79.11-2_all.deb 

2010-06-14 2 http://mirrors.kernel .org/debian/pool/main/m/mailscanne 
r/mailscanner_4.7 _all.deb 
Resolving mirror r 149.20.20.135, 204.152.191.39 
Connecting to mirro nel .orgi149.20.20.1351:80... connected. 
HTTP request t, yaiting response... 200 OK 
Length: 71 ( ) [text/plain] 


Saving t ‘“mailscanner_4.79.11-2_all.deb 


100%[== =>1 712,820 482K/s in 1.4s 


10-06-14 21:58:45 (482 KBvs) - ‘mailscanner_4.79.11-2_all.deb’ saved [71282077 
8201 


root@piratefish:~# _ 


2) Now we'll perform the install, which may fail: 


Enter the command: 
dpkg --install mailscanner_7.49.11-2_all.deb 


n 


3) 


4) 


5) 


During the installation process you will be asked if you wish to install a 
new version of the config file, or keep your existing one. Please keep 
your existing config file by pressing N. \f you do not do this, you will 
likely have to backup a few chapters and double-check your settings. 


Once this has completed , one more installation should be done: 
Perform the following addition to smooth things around a bit: 

apt-get install libconvert-tnef-perl libdbd-sqlite3-perl libfilesys-df-per| 
libmailtools-perl libmime-tools-perl lipbmime-perl libnet-cidr-perl libsys- 


syslog-perl libio-stringy-perl libfile-temp-per| 


Once this is complete, reboot and test your Piratefish once more. 


Chapter 7: Adding SpamAssassin to MailScanner 


Note: Due to a bug in the Webmin MailScanner Plug-in, this step doesn’t work 


right. You need to perform both the GUI changes below, and then follow it up 
with the file edit. 


This is what should work: 
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Go into the Webmin MailScanner control panel. 
SpamAssassin 
Click on the SpamAssassin icon 


Modify the SpamAssassin User State Dir to read; 


/var/spool/MailScanner/spamassassin 
and click on the Save button. 


If you follow these steps you will see your update disappear! The SpamAssassin 
User State Dir will not keep the updated value. This is the bug in the 
MailScanner Webmin Plugin. 


The following instructions will fix the file so that this bug isn't a problem. 


ap Webmin -> Others -> File Manager 

2. Click on the path bar and type /etc/MailScanner and press enter. 
3. Click on the file MailScanner.conf and Edit it. 

4. Use the Find button and search for 


Searchfor | #SpamAssassin 


#SpamAssassin User as show; Click _|pepiace ny 


on Find, then click on Close. [Q] rind = eee 


5. This will locate a pair of lines — one that is commented out and 


@--- 


EX Replace all 


another that has a blank section after the equal’s sign — you will 
have to scroll down to see them both. 


#SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin 
SpamAssassin User State Dir = 


6. Remove the pound # sign from this line: 

#SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin 
7. Remove this line entirely: 

SpamAssassin User State Dir = 


If this is done correctly, it will look like this: 


SpamAssassin User State Dir = /var|/spool/MailScanner/spamassassin 
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8. Click on the Save & Close button. 

9. Reboot your system 
Webmin -> System -> Bootup and Shutdown 
Click on the Reboot System button. 


When it asks if you are sure, click on the Reboot System button 


once more. 


10. Once the system has restarted, perform the telnet email test once 
again to ensure that mail is getting relayed through the system. 


If the system is able to relay email, then move on to the next 
section. 


Chapter 8: Configuring MailScanner to use ClamAV 


1. Webmin -> Servers -> MailScanner 
01001 
10011 
00110 


2. Click on the Virus scanning and Vulnerability Testing icon Virus scanning and 
Vulnerability testing 


3. Inthe List of virus scanners user section make sure it's set to auto 


4. Inthe last item “Allow Password Protected Archives” you can choose 


Yes or No. 


Generally these should be permitted since they're widely used. If you 
prefer to keep things a little tighter, you can leave this set to No. 
Systems admins beware - if archived files are permitted now and you 
start blocking them, you will hear about it. 
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5. Once the changes are done, click on the | Save | button and then click 


on the| Return to Module index | button. 


6. Now things are set to use ClamAV, but one more update is needed to 
ensure that ClamAV updates itself regularly. 


To do this, we need to create something called a symbolic link. This link 
will be placed into a directory of programs run every day. 


Webmin -> Others -> File Manager 


7. Navigate to the /etc/cron.daily folder by typing it into the path section 
and press Enter. 


8. Click on the New Symbolic Link button New 


9. Now enter the following items into the popup: 


Link from: /etc/cron.daily/freshclam 
Link to: /usr/bin/freshclam 


Create Link 


/etc/cron.daily/freshclam 


i 3 /usr/bin/freshclan| 
and click on the Create button. YW Crests = 


10. Once this is done, you should have a new entry in your list in the 


cron.daily folder: 


As you can see, this is a list of scripts that will run every day on the Piratefish 
server. By placing a symbolic link to the freshclam program, when this directory 
of commands is processed, freshclam will be run also. 


For those of you really concerned about Anti-Virus solutions and you’re thinking 
about putting this symbolic link into the cron.hourly folder instead so that your 
virus signatures are updated 24 times per day, please remember that your 


57 


desktop PC’s should have anti-virus software on them as well. Running this 
script hourly will work, but it puts a lot of stress on the ClamAV servers and ISP 
connection — these folks are giving this stuff away for free, so please try not to 
beat them up over it. 


If you however insist on using hourly updates, | recommend paying the ClamAV 
folks for their efforts. They’ve done a great job and they deserve it. 


This is all that’s needed to add Anti-Virus scanning and have it update 
automatically. 
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Chapter 9: What to do with spam? 


This section will walk you though some initial settings that will start putting the 
Piratefish into spam-fighting action. 


In the Piratefish configuration, all messages from untrusted hosts and networks 
are scanned with SpamAssassin. When SpamAssassin reads through a message, 
it generates a spam score which can be read by other programs to help them in 
their decision making. Generally, emails that get a score of 5 or more are spam, 
or contain spam-like elements. 


i Webmin -> Servers -> MailScanner 


spar} 


2. Click on the What to do with Spam icon Vihal've do wath’ sgaen 


The default settings will deliver most emails, however messages that are 
considered spam will have an extra header added into them that will contain "X- 
Spam-Status: Yes". The addition of this X-Spam-Status header plays nicely with 
other programs and mail readers, and enables your users to setup their PC's to 
collect all mail sent to them while automatically redirecting spam into their junk 


email folders. 


High scoring spam is, by default, stored in the quarantine folder. If you wish to 
not see high-scoring spam at all, you can change the High Scoring Spam Actions 
from store to delete. If you quarantine messages, you will have the ability to 
review and forward them back out of the system. You will also have to delete 


them every once in a while. 


The quick and dirty way to empty out the quarantine folder is to execute this 
command every once in a while: 


rm -rf /var/spool/MailScanner/quarantine 


Please note that this command, if mistyped, can erase your entire hard disk — so 


be careful! 
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A quick note on bouncing messages... 


In the past people believed that “bouncing” a message back to its source was a 
good idea, and in friendlier times it was. 


Given the volumes of spam we have to deal with today, bouncing messages 
back to their senders tends to cause clogging problems as well provide feedback 
to the spammers. 


| strongly recommend that you don’t bounce messages ever — the problems it 
can cause are too great to enumerate. 


When you are done, click on| Save | then click on} Return to module index |. 
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Chapter 10: Blacklists 


Blacklists can block more than 90% of the spam you’re getting now, if you're not 
already using them. 


Some notes about Spamming and Spam Blacklists... 


Legitimate spammers (bulk email services) pay ISPs lots of money to maintain 
their connections. Many ISP's refuse to deal directly with soammers because of 
the troubles they cause and the bad reputation they all have. 


Hacker/Spammers search for vulnerable mail servers, attack them, and then use 
them to relay their messages out to the world. Other groups go as far as to try 
and infiltrate various parts of the open-source software community to introduce 
spammer-friendly software bugs into popular software so that folks can 
unwittingly help them. 


Bot Spammers are Hacker/Spammers that design viruses and Trojan horse 
software and spread them throughout the world using newsgroups, spam- 
emails, and even in distributions of cracked software like Microsoft Office. Bot’s 
are the most prevalent source of spam on the Internet, and the folks who run 
them have taken to using redundant distributed control channels — previously 
IRC was used, but now even twitter is being used to control bots. 


Relay Spammers search the Internet for open email relays. Open email relays 
are systems that have been misconfigured to send email for anyone to 
anywhere. This method of spamming is very old, but still effective - blacklists 
were originally created to combat the problem of open relays, but have since 
expanded their scope as the spammers have chosen more advanced tactics. 


With the use of a good set of blacklists, you can block all of these kinds of spam 
immediately. More advanced filtering, such as Bayesian filtering is designed to 


catch things are so new, they’re not yet blacklisted. 
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How Blacklists Work 


Blacklisting services are actually large scale databases that perform thousands, 
perhaps even hundreds of thousands of database lookups ever minute. That’s a 
lot of traffic for any system, but the folks who figured out how to build blacklists 
were clever — they chose the fastest and simplest database lookup system ever 
— and it has the advantage of automatically caching commonly asked questions 
as well. All spam blacklist checks are done using modified DNS lookups. 


DNS is normally used to resolve names into IP addresses, however, if you direct 
all your queries to a blacklist server, it can provide simple one word answers 
quickly to millions of queries. 


When the Piratefish receives an email and a blacklist check is performed, the 
Piratefish will make a series of blacklist lookups to each of your defined 
blacklists and ask each one about the server delivering the message. 


Under some rare circumstances, blacklists shut down permanently. This has 
happened 3 times since 1995, and twice in the last four years. When using a 
blacklist it is important to join that blacklist’s news list so that you can be 
warned if they are shutting down. 


In the past when Blacklists have closed down, the new network owners have 
found themselves with unusable IP addresses because of the volume of 
incoming DNS requests being sent to what used to be blacklist servers. In each 
case, the new owner of those IP addresses has setup a server to respond to the 
blacklist queries and report that everyone is blacklisted. When this happens to 
you, all mail will stop coming in — remember this now so that you can recognize 
this later if it happens to you. 


Types of Spam Blacklists 


Different spam blacklists are focused on different types of spam sources. DNS 
blacklists recommend for the Piratefish are: 
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spamhaus-ZEN -— This blacklist combines the three blocklists that Spamhaus 
maintains — the SBL, XBL and PBL. The SBL blacklists known spam sources and 
spam operations. The XBL blacklists systems hosting illegal 3rd party exploits, 
open proxies and related evils. The PBL is not so much a blacklist as it is a list of 
known places where email should not come from — such as DHCP assigned IP 
space, dialup pools, and other userland Internet address spaces. Visit 
http://spamhaus.org for more information. 


spamcop.net — This is a blacklist database that reports the IP addresses of folks 

sending unwanted messages. This list is publicly maintained and is a good start 
towards reporting spam when you receive it. Visit http://spamcop.net for more 
information. 


NJABL — Not Just Another Bogus List - this blacklist lists known open relays, 
proxies, and open form-relay and other forms of 3rd-party email relay 
exploitation systems. Visit http://njabl.org for more information. 


SORBS — SORBS is a comprehensive set of lists covering a number of different 
spamming types. SORBS also scans the Internet to find vulnerable systems and 
blacklist them automatically. They also list out people who demand never to be 
tested by them. Visit http://www.au.sorbs.net for more information. 


Setting up blacklists 


1. Webmin -> Servers -> MailScanner -> Spam detection and 
spam lists (DNS blocklists) yx 


Spam detection and s 
lists (DNS blocklists) 


2. Under Spam List, remove the comment # in front of the 
listing for the spamhaus-ZEN list and add spamcop.net NJABL and 
SORBS-DNSBL. 


This will make the Piratefish check four different Block List servers. It is 


strongly recommended you subscribe to their mailing lists and consider 
donating to them to keep them operating. 
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Meese taet Spam detection and spam lists (DNS blocklists) 


Spam Checks ® Yes O No O tuleset Luce 
Spam List © Default © |spamhaus-ZEN spamcop.net NJABL SORBS-DNSBL | 

Spam Domain List O Default © fica 
Spam Lists To Reach High Score © Default © |1 CJ Edit 
Spam List Timeout O Default © 10 | Seconds 

Max Spam List Timeouts O Defautt © [7 C.J exit 
Spam List Timeouts History O Default © [10 _ == = [zal Edit 
Is Definitely Not Spam O Yes O No © ruleset |%rules-dir%/spam.whitelistrules |... } Edit 
Is Definitely Spam © Yes © No O ruleset “all 
Definite Spam Is High Scoring © Yes © No O tuleset| | = 
Ignore Spam Whitelist If Recipients Exceed © Default © [20° 


@ Retum to module index 


3. Change the Spam Lists to Reach High Score option to read 1. 


4. Click on} Save |then click on Return to module index. 


5. Click on the} Apply Changes | button. 


6. About 30 seconds after step 5, refresh the page and make sure that the 
MailScanner process is still running. If it’s not running, click on the 


Start Server | button. 


Note: Those of you living in parts of the world using English as a second (or 
third) language, you may want to change the Spam Lists to Reach High Score to 
2 or 3 and read your logs before trusting a setting of 1. 


Many spam lists have taken up the process of black-listing entire blocks of IP 
addresses from certain ISPs and countries, and this may result in false-positives 
and lost email. Countries most affected by this problem are China, Russia and 
Korea, as servers in these countries are some of the largest sources of spam. 


If a particular spam list is blacklisting emails you need to receive, you should 
remove the offending list from the Piratefish Spam List configuration. 
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Chapter 11: White Lists 


Businesses don’t want a Piratefish server blocking important messages. Ever! 


Whitelisting is an important feature of any spam filtering system. Whitelisting 
of email addresses and domains ensures that important messages will bypass 
the spam filter entirely. Proper use of whitelists ensures your electronic 
business continuance. 


Things you might want to whitelist include; 


¢ The domain names of your customers and vendors; 
¢ Any mailing lists, spam blacklists, payroll and medical insurers; 


¢ Relatives, friend’s domains, your web hosting provider, Etc. 


White lists aren’t perfect. If you do a lot of email with folks using AOL, MSN or 
Yahoo, you'll find that whitelisting them will result in a lot of spam coming in 
from folks using those services for their spamming. The good news is that you 
can white list only specific email addresses or entire domains as well. 


If you've already explored around your Piratefish a bit, you have probably 
noticed that there is a whitelist area setup in the SpamAssassin GUI. This shou 
not be used - SpamAssassin is being called by MailScanner with separate 
configuration files - If you whitelist emails in the SpamAssassin GUI, these will 
be ignored by your Piratefish configuration. Whitelisting is best setup within 
MailScanner itself. 


To configure the whitelisting in MailScanner: 


x" 
1, Go to Webmin -> Servers -> MailScanner -> aaa? Y 
Spam detection and spam 
Spam detection and spam lists (dns blocklists) lists (DNS blocklists) 
2. In this screen, the whitelists are hidden in the 


"Is Definitely Not Spam" area — click on word “Edit” 


Is Definitely Not Spam © Yes O No ® tuleset | %rules-dir%/spamwhitelistrules Lal Edit 


Id 
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In this file you'll find the default entry. 


This entry should always be the last entry in the file - if you erase 


the default rule, you can turn your Piratefish server into an open 


spam relay. 


Module Index Text Editor 


File:/etc/MailScanner/rules/spam.whitelist.rules 


# If you are basing a blacklist on this then you can refer to 


= 

# This is where you can build a Spam i 
# Addresses matching in here, with th 
# "yes" will never be marked as spam. 
#From: 152.78. yes 
#From: 130.246. yes 


Add your whitelist entries above the highlighted line above. 


# a null (empty) sender address with "/*$/" as the address to match. 


Entries added to the whitelist can contain IP addresses (partial or 


complete), email addresses, entire domains, Etc. 


Module Index Text Editor 
File:/etc/MailScanner/rules/spam.whitelist.rules 


# If you are basing a blacklist on this then you can refer to 

# a null (empty) sender address with "/*$/" as the address to match. 
= 

# This is where you can build a Spam WhiteList 

# Addresses matching in here, with the value 

# "yes" will never be marked as spam. 


#From: 152.78. yes 

#From: 130.246. yes 

From: yes 

From: yes 

From: yes 

From: yes 

From: el yes 

From: apple.com yes 

From: securitynews@securityfocus.com yes 
FromOrTo: default no 


Once you've added your whitelist entries, click on the save button. 


After making changes to the whitelist, it's best to stop and re-start 
the MailScanner daemon using the controls on the MailScanner 


screen. 


When you click on the} Apply Changes |button the MailScanner 


daemon will stop and not automatically restart. When you refresh 
the page you will see this. Until it is restarted, no mail delivery will 


occur. 


Please also note that whether or not the MailScanner is running, the 


Postfix mail server will likely still be accepting message deliveries in 


the background — however those messages will be queuing up for 
the MailScanner once it’s running again. 
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Chapter 12: Configuring LogWatch 


Logwatch is a tool that is built into Ubuntu Linux that provides a convenient way 
to generate reports about the various daemons in a Linux system. 


In our case, we need to execute something like this every day: 
logwatch --service MailScanner 
This simple command will generate a report and print it on your screen. 


Note: In the Linux console, it is possible to read things that have scrolled out of 
the window using the keystroke CtrltPageUp and Ctrl+PageDn. 


In order to run the logwatch command regularly, something called a “cron job” 
is needed. Cron is a program that can run commands at specified times. Cron 
jobs are usually setup from the command line, but in this case we're going to 
use Webmin to set it up. 


1. Go to Webmin -> System -> Scheduled Cron Jobs 


Module Config Scheduled Cron Jobs 


Find Cron jobs matching |_ _ |_Search 


Select all. | Invert selection. | Create a new scheduled cron job. | Create a new environment variable. | Control user access to cron jobs. 
Active? Command Move 


O Yes /etc/cron-hourly/mailscanner 
/etc/cron.daily/standard 
/etc/cron.daily/00logwatch 
/etc/cron.daily/aptitude 
Jetc/cron.daily/mlocate 
/Jetc/cron.daily/man-db 
/etc/cron.daily/apt 
/etc/cron.daily/spamassassin 


Jetc/cron.daily/libvirt-bin 
Jetc/cron.daily/dpkg 
/etc/cron.daily/logrotate 
/etc/cron.daily/mailscanner 
/etc/cron.daily/popularity-contest 
/etc/cron.daily/apport 
Jetc/cron.daily/bsdmainutils 


Yes /etc/cron.weekly/man-db 


Yes /etc/cron.monthly/standard 


Yes /etc/webmin/cron/tempdelete_pl 
Select all. | Invert selection. | Create a new scheduled cron job. | Create a new environment variable. | Control user access to cron jobs 
{ Delete Selected Jobs } [ Disable Selected Jobs || Enable Selected Jobs 
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Click on Create a new scheduled cron job 


sacar iia Create Cron Job 

Job Details 

Execute cron job as Lcxal 

Active? © Yes O No 

Command 

Input to command 

Description 
When to execute 

© Simple schedule . { Hourly ¥| © Times and dates selected below 
Minutes _________Htours _[Days__|Months__|Weekdays 
©All Oall Oall Oall ©All 

O Selected O Selected O Selected O Selected O Selected 

2 al S 


Date range to execute 


Note: Ctrl-click (or command-click on the Mac) to select and de-select minutes, hours, days and months. 


© Run on any date 
© Only run from 


{san cl a Jto{ {van oe | = } 


Click on the 


list window. 


In the Comm 


button at the top, and choose root from the popup 
This will make this scheduled item run as root. 


and box, fill in the following: 


/usr/sbin/logwatch --service mailscanner --mailto address@domain.com 


Then add a description into the Description field. 


Now click on the Simple schedule radio button and choose Daily (at 
midnight) from the pull-down menu. 


Once everything looks right, click on the 


Create | button. 
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Module Index Create Cron Job 


Job Details 


Execute cron job as root ss 

Active? ® Yes O No 

Command Just/bin/logwatch -service mailscanner —mailto johnny@pira 
Input to command 

Description Nightly Reporting Run 


When to execute 


© Simple schedule ...[ Daily (at midnight) _¥] © Times and dates selected below . 

© all @all © all 

O Selected .. O Selected .. 
: Januay #4 Sunday 4 

1 13 25 February Monday 
2 14 26 March Tuesday 
3 15 27 April || Wednesday 
4 16 28 May Thursday 
5 7 29 June Friday 
6 18 30 July Saturday 
7 19 31 August 
8 20 32 September 
9 21 33 October 
10 22 4 November 
11 vi} 23 35 December ¥ 


te: Ctri-click (or command-click on the Mac) to select and de-select minutes, hours, days and months. 


® Run on any date 
=) to i Jan ~] = 


© Only run from \iJan ¥ 


i 


= 


Now the Piratefish will generate nightly statistics reports and email them to you. 


Neate toes Scheduled Cron Jobs 


Find Cron jobs matching Search 


Select all. | Invert selection. | Create a new scheduled cron job. | Create a new environment variable. | Control user access to cron jobs. 


Active? Command Move 


O Yes /etc/cron.hourly/mailscanner 


Jetc/cron.daily/standard 
/etc/cron.daily/00logwatch 
/etc/cron.daily/aptitude 
/etc/cron.daily/mlocate 
/etc/cron.daily/man-db 
Jetc/cron.daily/apt 
Oves /etc/cron.daily/spamassassin 
/etc/cron.daily/libvirt-bin 
/etc/cron.daily/dpkg 
/etc/cron.daily/logrotate 
/etc/cron.daily/mailscanner 
/etc/cron.daily/popularity-contest 
/etc/cron.dai 
/etc/cron.daily/bsdmainutils 
0 Yes Jetc/cron.weekly/man-db 
O Yes /etc/cron.monthly/standard 
O Yes /etc/webmin/cron/tempdelete.pl + 
O Yes /usr/bin/logwatch --service mailscanner —mailto johnny@piratefish.org oP 
Select all. | Invert selection. | Create a new scheduled cron job. | Create a new environment variable. | Control user access to cron jobs. 


Delete Selected Jobs || Disable Selected Jobs || Enable Selected Jobs ] 
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Chapter 13: Changing your Piratefish IP Address 


Not everyone can setup a machine ready for production deployment at their 
desk. In these cases, people may be forced to use one IP address setup during 
the build, and another one for implementation. 


During the initial setup of the Piratefish, your system may have assigned itself a 
DHCP address — dynamic IP addresses like this are okay for workstations, but 
servers generally need to have their IP addresses nailed down tight so that 
things keep on working after a reboot. 


If your network doesn’t have or use DHCP, or if you took steps to manually 
assign a static IP address, then you can skip this chapter and move on. 


Linux servers won’t usually have a nice clean way to change their IP address 
unless a local GUI is installed. Fortunately, Webmin provides a very nice way to 
reconfigure networking. 


It is strongly recommended that a user familiarizes themselves with this section 
in its entirety prior to following these instructions. 


1. Goto Webmin -> Networking -> Network Configuration 


2. Click on the Network Interfaces icon. 


Network Interfaces 


3. Inthe screen that follows you will see an interface summary page. 


Module Index Network Interfaces 


Active Now Activated at Boot 
Interfaces listed in this table are currently active on the system. In most cases, you should edit them under the Activated at Boot tab. 


Select all. | Invert selection. | Add a new interface 


Name Type IP Address Netmask Status 

ethd Ethernet 192 168.182 255.255 255.0 Up 
Ethernet fe80::20c:29ff-fe72:b2b4 64 Up 

lo Loopback 127.0.0.1 255.0.0.0 Up 
Loopback 1 128 Up 

virbrO Unknown 192.168.1221 255.255 255.0 Up 


Select all. | Invert selection. | Add a new interface 


De-Activate Selected Interfaces 


Return to network configuration 
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The interface called "ethO" is the primary Ethernet interface on a Linux 
machine. The address on it might look familiar as you either manually 
entered it, or it was assigned by your DHCP server. 


Take note of the two tabs on this section — they’re labeled Active Now 
and Activated at Boot. 


When changing the IP address of your Piratefish, you should only 
change the settings in the Activated at Boot section. This will help 
ensure that you won't lose the ability to manage the system. Changes 
made to the Active Now section are immediate and should only be done 
by experienced admins who are ready to make the change. 


For those who like the “Cisco” approach to changes, go ahead and 
change the Active Now settings and then go ahead and move the wires 
around as needed. If you can get back in after re-wiring, change the 
Activated at Boot settings to match the Active Now settings and test- 
reboot when you can. If you can’t get back in after switching the wires, 
rewire and reboot the system — the IP address settings will revert. 


Click on the tab titled Activated at Boot. Now you will see; 


Module Index Network Interfaces 


Active Now Activated at Boot 
Interfaces listed in this table will be activated when the system boots up, and will generally be active now too. 


Select all. | Invert selection. | Add a new interface. 


Name Type IP Address Netmask Activate at boot? 
ethd Ethernet From DHCP Automatic Yes 
lo Loopback Automatic Automatic Yes 


Select all. | Invert selection. | Add a new interface 
{Delete Selected interfaces |{ Delete and Apply Selected Interfaces | [Apply Selected Interfaces 


@ = Returm to network configuration 


5. Click on ethO. Fill in the IP address, subnet mask and broadcast address. 


Module Index 


Edit Bootup Interface 


Boot Time Interface Parameters 


Name etho Activate at boot? ® Yes O No 
Address source © From DHCP 
© From BOOTP 


© Static configuration |P Address | 192 168.1.82 
Netmask |255.255.255.0 


Virtual interfaces 0 (Add virtual interface) 
Save Delete and Apply Delete 


@ Return to network interfaces 


If you’re having trouble figuring out what your broadcast address is, see 
the section of the Appendix titled Understanding CIDR Network 
Addressing. Broadcast addresses are always the very last IP address of 
a particular network. Note: Go back and look at how ethO is setup in the 
Active Now tab — it might help. 


6. Once the editing is complete, click on the} Save | button. 


7. Click on Return to network configuration. 


8. Now click on the Routing and Gateways icon. g 


Routing and Gateways 


This should bring you to a window where the Boot time configuration 
tab is already selected. Click on the Gateway radio button and fill in the 
IP address of your default router. 


Module Index 


Routing and Gateways 


Boot time configuration Active configuration 
This section allows you to configure the routes that are activated when the system boots up, or when network settings are fully re-applied 
Routing configuration activated at boot time 
Default router © None (or from DHCP) © Gateway |192.168.1.1 | ethd |v 
SCI interface Network Netmask Gateway 
Local routes [FYe?T Network Netmask 


@ Retum to network configuration 
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9. Click onthe| Save |button once you are done. 


10. If you are ready to activate the new settings, then reboot the system. 
Webmin -> System -> Bootup and Shutdown -> Reboot System 


From here you’re welcome to either reboot or shutdown the system. 


Once the system has shut down, you are ready to move it to its new home and 
plug it into its new network. 


Editing network settings by hand 


In the event that the system is unreachable over the network when you’re done 
changing its IP address, it is possible to manually edit the IP address to correct 


any mistakes. 


To manually edit the Interface, log into the local console as root and run the 
command: 


pico /etc/network/interfaces 


GNU nano 2.0.9 File: inte: 


Once your changes are complete, save the 
file and enter the reboot command. 


If you’re used to using windows commands 
like ping and traceroute to test networking, 
they are both available. 


Unlike the tracert command in Windows, 
the traceroute command in Linux is always 
fully spelled out. 
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Chapter 14: Deploying your Piratefish 


Congratulations! You’ve build your Piratefish Anti-spam gateway! Now you 
need to put it to work. 


If you’ve gotten this far along, then your Piratefish is ready to start relaying 
email. It’s not a completely configured server yet, but it’s now deployable and 
can help you start reducing your spam now. Chapters 14-17 focus on specific 
tasks and feature additions — these additional features have some preparation 
requirements and take a bit more time to complete - for now however, getting 
the Piratefish deployed is the first order of business. 


If your network is firewalled, putting the Piratefish into action might be as 
simple as telling the firewall to re-direct email from the outside world into the 
Piratefish. If you know your networking, then you might already be able to do 
what’s needed without reading this chapter. If you don’t know your networking 
very well, then you might want to hire this one out — or try it yourself. 
Networking and security is a much more involved subject than can be covered 
here — and there are plenty of hungry engineers out there who make house 


calls. Visit Craigslist -> Gigs -> Computer for more info. 


For the vast majority of you, one of the listed configurations is similar to how 
your email server is setup now. 


¢ The Internet . : | 
Firewall Mail Server Firewall Mail Server 


The Internet 
public ip wi Inbound Translation private ip 
Mail Server with Public IP Address Mail Server with Private IP address and NAT 


Please read the section that is more appropriate to your configuration. 
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Section 1: Mail Server with Public IP address. 


If you have the public IP’s to support this configuration, give the Piratefish a 
public IP address as well. When doing this, the only things you will need to do 
are assign it an IP, protect it, tell the mail server to trust that IP and ignore the 
world, and change the DNS so that email is delivered to the Piratefish server 
directly. 


Telling your email server to trust the Piratefish is an important step. This trust is 
something that is defined in the mail server, and may be referred to as either 
trusted relays, trusted clients, trusted networks or unauthenticated senders. It 
is important that you do this before proceeding; otherwise legitimate emails 
could be lost. 


Removing your existing mail server from having a public IP may not be a good 
idea as this might interfere with sending messages, and it makes reaching web 
mail impossible as well. This can also interfere with picking up and sending 
email remotely impossible as well — unless you force users to use a VPN. 


One thing to be aware of in this configuration is that even though DNS will 
direct email to the new server, some spammers search for mail servers by 
scanning every IP address, and they will try to bypass the Piratefish by delivering 
the messages directly to your old mail server unless you have some good 
firewalling and relay trusts defined. It is very important to configure your 
existing email server to refuse all un-authenticated email coming from external 
IP addresses once this is working. 


Remember that spammers don't always follow the rules - delivering email to a 
properly defined mail server is only a suggestion to them, not a strict rule like it 
is to us. 


Blocking port 25 inbound to your old email server from the Internet could be 
done, but that could interfere with messages being sent by external email users 
if you're using SMTP along with POP or IMAP protocols. 
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If you deploy your Piratefish so that it becomes a new mail server for your 
network, then you will need to register a DNS name for your Piratefish and point 
your DNS Mx record to that newly registered DNS name. 


Modifying DNS Entries & Making a School of Fish 


Let’s say, for example, you have a mail server with the public IP address 1.2.3.4 
called mail.domain.org and you have your new Piratefish at IP address 1.2.3.5. 
If your DNS record had only one MX entry (Mail eXchanger), there would be 
entries in your DNS that look like this: 


mail A 1.2.3.4 
domain.org MX preference = 10, mail exchanger = mail.domain.org. 


The Piratefish in this situation will need its own DNS entry, let’s call it 
piratefish.domain.org and that entry will point to IP address 1.2.3.5. Now to 
direct email to this server, you'll need to change your DNS so that the MX record 
points to the fish. A simple replacement would get you this: 


mail A 1.2.3.4 
piratefish A 1.2.3.5 
domain.org MX preference = 10, mail exchanger = piratefish.domain.org. 


If you're really paranoid about reliability, then you could make two MX records, 
like this: 


mail A 1.2.3.4 

piratefish A 1.2.3.5 

domain.org MX preference = 10, mail exchanger = piratefish.domain.org. 
domain.org MX preference = 20, mail exchanger = mail.domain.org. 


This would ensure that no messages are missed, however, when a spammer 
figures this out, they'll just keep delivering to the second server — or to all of 
them. 


One way that’ll provide protection and reliability is to build a school of Piratefish 
servers. By using more than one Piratefish, you can setup your DNS so that the 
Piratefish servers are listed as the primary and secondary mail servers. 
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mail A 1.2.3.4 


piratefish A 1.2.3.5 

piratefish2 A 1.2.3.6 

domain.org MX preference = 10, mail exchanger = piratefish.domain.org. 
domain.org MX preference = 20, mail exchanger = mail.domain.org. 


Under ideal circumstances, setting up multiple Piratefish servers at different 
locations would provide the best performance and uptime possible. 


Section 2: Mail Server with Private IP address and NAT 


In this situation, the Piratefish can be located anywhere behind your firewall. If 
your email server is located on your company's main network, then this is an 
excellent opportunity to segment your network and increase your security. By 
isolating your Piratefish from the rest of your network, you add the extra 
assurance that anyone hacking into the fish won't have an open door into your 
network. Ideally, your mail server should be segmented off the main network as 
well, though most networks don’t go to this extreme. 


This configuration offers some 
flexibility in terms of traffic re- 


direction, as it is possible to direct 
inbound SMTP traffic directly to the 
fish, while hiding its web access 
behind the same IP address as that 


Mail Server 
private ip 


The Internet J jhe 
? ‘ : Firewall se 
used by the mail server itself. Using WiKictseare ARART ss = 
iratetish 
this method with a load balancing Private ip 
firewall could even turn a school of 
fish into a load-balanced inbound 
. ; : ut 
mail processing system — all linked to 
F : Piratefisn 
a single public IP. Private ip 


One clear advantage of this configuration is that no changes are needed on the 
public DNS record. This also permits you to make quick and easy changes to 
remove the fish if necessary. 
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Chapter 15: Removing Backscatter 


Backscatter is a term for email that bounces out of a system to senders who 
didn't sent it. Backscatter bounces are considered by many to be as bad as 
spamming. Backscatter happens when a mail gateway accepts traffic for 
delivery, and then finds that it can’t deliver the traffic, and it bounces it back to 
where it came from, but the place it came from was forged, making the 
message either undeliverable, or worse, confusing someone into thinking they 


sent a message that they didn't. 


Implementation of this chapter is optional, but it is recommended that 
backscatter be prevented if possible. Instructions on implementing SPF 
protection in Chapter 18 do include recipient address checking to some extent, 
but it's not as thorough or efficient as defining the recipients in the Piratefish 
server itself. 


For example: 


1. Spamrrer sends message 
for tarnrry @piratefish.org 
from forged sender tom@aol.com J 
Evil Spammer a 


2. Delvery atternpt to Mail 
Server fails because 


there's no user named 


\ tammy @piratetish.org 


Enor! There Eo 
mmy@piaetsi og! 


tom@aol.com 
Mail Server 


In this diagram, a spammer sends a spam at your network, and he forges his 
name so that it looks like he’s tom@aol.com. The Piratefish accepts this email 
since it’s being delivered to tammy@piratefish.org. There is no 

tammy @piratefish.org however, and the Piratefish server doesn’t know this. 
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When the Piratefish tries to deliver the mail to the real mail server, the mail 
server responds with an error telling the Piratefish that this message is 
undeliverable. The Piratefish then queues up the message as a bounce, and 
sends it off to the sender. Because the sender’s address was forged, 
tom@aol.com gets an email from your Piratefish server saying that this message 
to tammy @piratefish.org was undeliverable. 


This problem can be solved simply by telling the Piratefish server what email 
addresses to accept email for. If the Piratefish knows who your possible 
recipients are, spammers can be immediately refused delivery. 


Please note that this process means that whenever you add or remove someone 
from your mail server, you will need to edit the configuration on the Piratefish. 
For larger organizations, there are better alternatives — such as LDAP user 
verification, however, for smaller static networks, this method is fine. 


1. Gather together a list of all valid email addresses that will be protected 
by the Piratefish server. 


This list should include all email addresses, mailing lists and aliases for 
every domain the Piratefish is protecting. 


2. Goto Webmin -> Others -> File Manager 


3. Click on the path bar and type /etc/postfix and press enter. 


4. Click on the New File icon | sh 


New 


In the window that appears, type in the filename as relay_recipients 


Creating file Eel) 


Filename: | /etc/postfix/relay_recipients 
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5. 


Now fill in the file with all the known email address gathered in step 1. 


Creating file 


Filename: | /etc/postfix/relay_recipients 


|# Address list as of 11/27/2009 
/johnny@piratefish.org OK 
Jabuse@piratefish.org OK 
isales@piratefish.org OK 
i@pointswitch.com OK 


!” Windows newlines a> <--. [LQ] rina A Save W save & Close ©: 


Each address should be on its own line. Note that each address includes 


the word OK after it. 
Comment lines are preceded by a # (hash) character. 


Entire domains that need to pass, but are not specific, should be listed 
with the “@domain.com OK” method as shown. 


Please note that this method has an “in a penny, in a pound” approach, 


meaning that if you apply this type of recipient control for any part of 
your Piratefish, all domains must have a relay listing — even if it’s just a 
blanket forward command as shown for the pointswitch.com domain. 
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Once you’re done editing the file, click on the} Save & Close | button. 


Note: If you have a Microsoft Exchange server, there are scripts 
available online to export all of your Microsoft Exchange user’s email 
addresses. Google for “postfix backscatter exchange” for more 
information. 


Once the relay_recipients file has been created successfully, you'll need 
to log into the Piratefish as root and type the following commands: 


cd /etc/postfix 
postmap /etc/postfix/relay_recipients 


Note: This step must be done after every change to the 
relay_recipients file. 


The relay_recipients file is compiled into a special database format used 
by Postfix. If this step isn’t done after an update, legitimate email could 
be blocked! 


Once this is done, if you “Is” the /etc/postfix directory, you will see a 
new file called relay_recipients.db created specifically for Postfix by the 


postmap command. 


In the File Manager screen, highlight the file main.cf and click C 
on the Edit icon on the top toolbar. Edit 


Move to the bottom of the file and add the line: 


relay_recipient_maps = hash:/etc/postfix/relay_recipients 


Click on the} Save & Close | button. 


10. Now the Postfix program needs to be reloaded. 


This can be done 3 ways; 


You can use Webmin to perform a reboot — Webmin -> System -> 
Bootup & Shutdown -> Reboot 


or 


At the Piratefish root console type in the command "reboot" 


or 


You can enter the command "postfix reload" from the root prompt. 


Once the reboot or reload is complete, test the system once more. 
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Chapter 16: Configuring the Linux Firewall 


The computer industry has seen much evolution in the field of security. 
Traditionally, network segmentation has been the most popular way to secure 
parts of the network, but this method has limitations. 


To compensate for these limitations, host-based protections are now 
considered as important as having a firewall. One great feature of the Linux OS 
is that it has a fully functional firewall built in. Using this firewall takes some 


know how — but with Webmin, things are a good bit easier. 


The instructions provided here will guide you to configure the firewall to permit 


remote management and email functions. 


1. Goto Webmin -> Networking -> Linux Firewall 


When you arrive at this page, you might be confronted with a message 
like this: 


Help i i Search Docs 
Module Config Linux Firewall 
Rules file /etc/iptables.up.rules 


Webmin has detected 2 |Ptables firewall rules currently in use, which are not recorded in the save file 
/etc/iptables.up.rules. These rules were probably setup from a script, which this module does not know how 
to read and edit 


If you want to use this module to manage your IPtables firewall, click the button below to convert the existing rules to a 
save file, and then disable your existing firewall script 


Save Firewall Rules 


Enable firewall at boot time? 


This message is caused because the virtual machine additions were not 
just for VM clients — the virtual machine stuff loaded the tools to build a 
virtual machine server as well — and the firewall rules that Webmin is 
talking about relate to a shared network bridge that was created for it. 


| recommend that you remove this problem by running the following 


two commands from a root prompt on your Piratefish; 


apt-get purge kvm 
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apt-get purge libxen3 


Once these commands have been run, reboot your Piratefish and then 
return to Webmin -> Networking -> Linux Firewall. 


If the screen looks like this, you are okay to proceed. 


Help. i i Search Docs 
Module Config Linux Firewall 


Rules file /etc/iptables.up.rules 


No |Ptables firewall has been setup yet on your system. Webmin can set one up for you, to be stored in the save file 
/etc/iptables.up.rules, with the initial settings based your selection of firewall type below. 


® Allow all traffic 
© Do network address translation on external interface | ethO- ¥| [ 
© Block all incoming connections on external interface: etho | | 


O Block all except SSH and IDENT on external interface:|eth0 ¥ | 


© Block all except SSH, IDENT. ping and high ports on interface eth || | | 


© Block all except ports used for virtual hosting, on interface | ethO ¥)| 


Setup Firewall 


Enable firewall at boot time? 


Note that the default here is to "Allow all traffic". 


Click on Block all except SSH, IDENT, ping and high ports on interface: 


Make sure the interface pull-down shows the ethO: interface (assuming 


that is the right network interface on your Piratefish server.) 


Note that if you’re setting up a Piratefish with multiple interfaces, 


Check the box at the bottom that says Enable firewall at boot time? 
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cae Linux Firewall ee 


Module Confi 
is Rules file /etc/iptables.up.rules 


No |Ptables firewall has been setup yet on your system. Webmin can set one up for you, to be stored in the save file 
/etc/iptables.up.rules, with the initial settings based your selection of firewall type below.. 


© Allow all traffic 


© Do network address translation on external interface:|ethO ¥ 


© Block all incoming connections on external interface:|ethO0 ¥ 


© Block all except SSH and IDENT on extemal interface:|ethO ¥| 


® Block all except SSH, IDENT, ping and high ports on interface: |ethO 


© Block all except ports used for virtual hosting, on interface:|eth0 ¥ 


Setup Firewall 


© Enable firewall at boot time? 


5. Once everything looks correct, click on the | Setup Firewall | button. 


You will be presented with a screen like this: 


Mon Linux Firewall Search Docs 


Module Confi 
° Rules file /etc/iptables.up.rules 


‘Showing IPtable: | | Packet filtering (filter) ¥ {Add a new chain named: || | 


Incoming packets (INPUT) 
Select all. | Invert selection. 


Accept If input interface is not ethO + AT 
Accept If protocol is TCP and TCP flags ACK (of ACK) are set Vt 4T 
Accept If state of connection is ESTABLISHED vt AT 
Accept If state of connection is RELATED +t AT 
Accept If protocol is UDP and destination port is 1024:65535 and source port is 53 Sf AF 
Accept If protocol is ICMP and ICMP type is echo-reply +t 1T 
Accept If protocol is ICMP and ICMP type is destination-unreachable +t AT 
Accept If protocol is ICMP and ICMP type is source-quench 4t 17 
Accept If protocol is ICMP and ICMP type is time-exceeded ZL SL 
Accept If protocol is ICMP and ICMP type is parameter-problem +t LT 
Accept If protocol is TCP and destination port is 22 +t 1T _ 
Accept If protocol is TCP and destination port is auth +t 1T 
Accept If protocol is ICMP and ICMP type is echo-request +t AT 
Drop If protocol is TCP and destination port is 2049:2050 wT 
Drop If protocol is TCP and destination port is 6000:6063 +t AT 

O Drop f protocol is TCP and destination port is 7000:7010 +t 17 
Accept If protocol is TCP and destination port is 1024:65535 t AF 

Select all. | Invert selection. 
Set DefaultAction To: || Drop ¥) Add Rule 


Forwarded packets (FORWARD) 
There are no rules defined for this chain. 


SetDefaultActionTo: |/Accept | Add Rule 


Outgoing packets (OUTPUT) 
There are no rules defined for this chain. 


SetDefaultAction To: |{Accept | Add Rule 


Click this button to make the firewall configuration listed above active. Any firewall rules currently in effect will be 
flushed and replaced 


Revert Configuration Click this button to reset the configuration listed above to the one that is currently active 
Activate atboot | © Yes O No Change this option to control whether your firewall is activated at boot time or not. 


Apply Configuration 


Reset Firewall Click this button to clear all existing firewall rules and set up new rules for a basic initial configuration 


6. 


In this screen, the basic rules provided are almost perfect — we just need 
add in one protocol — SMTP on port 25. 


Instead of adding a rule from scratch, lets simply borrow an existing rule 


and make our changes instead. On the previous page you'll see an 
arrow pointing to a line that shows this: 


Accept 


If protocol is TCP and destination port is 22 


+t 1T 


Click on the word Accept in this line. 


Be careful not to change anything yet. Go to the bottom of the screen 


and click on the 


Clone Rule 


button. 


In the Clone Rule page, change the following lines; 


In the rule comment, change SSH to SMTP; 


In the Destination TCP or UDP port section, change the 22 to a 25; 


The changed lines should look like this: 


Module Index 


Clone Rule 


Chain and action details 


Part of chain 
Rule comment 
Action to take 


Reject with ICMP type 


Condition details 


Incoming packets (INPUT) 


|Allow connections to our SMTP server 


© Do nothing © Accept 


© Drop O Reject O Userspace 


© Exit chain © Log packet © Run chain 


© Default © Type|icmp-net-unreachable ¥ 


The action selected above will only be carried out if all the conditions below are met 


Incoming interface 
Outgoing interface 
Fragmentation 
Network protocol 


Source TCP or UDP port 


Source address or network 


Destination address or network 


Destination TCP or UDP port 


<Ignored> “ _ 
<Ignored> % 

<ignored> vifeho vif t—~—~—S@YS 
<ignored> vifeho vif t—<CS~—sOYS 


© Ignored © Is fragmented © Is not fragmented 


Equals ¥)|[TcP ¥) | 
<Ignored> ¥] © Portis)! © Port range |to 
Equals ¥] © Port(s) |25 © Port range | to } 
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8. Once your edits are complete, click on the] Create | button at the 


bottom of the page. 


9. Once this is done, you’ll see your rule listed at the bottom of the firewall 
rules list. This rule needs to be moved up so that it’s just underneath 
the SSH rule we just cloned. 


On each rule line, note the gray arrows on the right-side of each rule. 
Use the gray up-arrow to move your new rule to where it belongs, 
underneath the SSH rule. 


Be careful as each click causes a screen refresh, and the rule will be 
moving each time. 


ees Linux Firewall Search Docs 
Rules file /etc/iptables.up.rules 

(Stoning Pie: [Packet eng ite . (Reds newshainnamed ]|_ 

Incoming packets (INPUT) 

Select all. | Invert selection 
Action Condition Move Add 
Accept If input interface is not ethO + eS hh 
Accept If protocol is TCP and TCP flags ACK (of ACK) are set +t AT 
Accept If state of connection is ESTABLISHED Vt 1T 
Accept If state of connection is RELATED +t 1T 
Accept If protocol is UDP and destination port is 1024:65535 and source port is 53 UT 1T 
Accept If protocol is ICMP and ICMP type is echo-reply +t 1T 
Accept If protocol is ICMP and ICMP type is destination-unreachable +t 1F 
Accept If protocol is ICMP and ICMP type is source-quench Vt 1T 
Accept If protocol is ICMP and ICMP type is time-exceeded +t 1T 
Accept If protocol is ICMP and ICMP type is parameter-problem +t LT 
Accept If protocol is TCP and destination port is 22 +t 17 
Accept If protocol is TCP and destination port is 25 +t 17 
Accept If protocol is TCP and destination port is auth St AT 
Accept If protocol is ICMP and ICMP type is echo-request +t 17 
Drop If protocol is TCP and destination port is 2049:2050 Tt 1T 
Drop If protocol is TCP and destination port is 6000:6063 Vt 1T 
Drop If protocol is TCP and destination port is 7000:7010 +t AF 
Accept If protocol is TCP and destination port is 1024:65535 4 ATF 


Once you’re done moving, the rules should look like this. 


10. Click on the} Apply Configuration | button at the bottom of the screen. 


11. Now reboot your Piratefish. 


Webmin -> System -> Bootup and Shutdown -> Reboot System 


12. Once the system comes back online, test all remote management 
functions (SSH & HTTPS on port 10000) and then test the mail functions 


of the server once again. 
As a final test, log into the root prompt and run the command: 
apt-get update 


If all is well, this should complete without errors, and the system should 
be able to get updates online without issue. 


Command Line Firewall Information and Troubleshooting 


The iptables firewall system that is build into Linux is very workable, but if you 
play around with its configuration and make a mistake, it’s possible to lock 


yourself out of your own system, or worse, to block it from doing its job. 


If your experiments result in a loss of connectivity, resetting the firewall back to 
its default state isn’t hard. Note that this MUST be done from the local console 
— the first command will disconnect you from any remote connections! To reset 
the firewall policy, start by logging into the local console on the machine as root, 
and execute the following commands: 


iptables --flush 
iptables --policy INPUT ACCEPT 


The first command removes all the rules, the second command tells the system 
that it should accept any connection attempts. Note that this changes the 
active running firewall configuration, and has no bearing on the saved rules that 


will be in play upon a reboot. 


Once this is done, you should be able to get back in using Webmin. Go to 
Webmin -> Networking -> Linux Firewall 
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Now you can correct whatever mistake you made in your firewall, and go ahead 
any apply the change. 


If you wish to start over, there is a| Reset Firewall |button at the bottom of the 


page that can reset the firewall configuration — using this can undo all of your 


changes and permit you to start this chapter over from the start. 


If you’re interested in exploring some more of the command line options for the 
firewall, try running the command iptables-save as this will display all the 
different iptables commands that are used to build the firewall configuration. 


For your consideration - a cruel firewall rule modification 


One of the many modifications that’s been suggested by Piratefish users needs 
to be mentioned here. Anyone who’s run a mail server and closely examined 
the logs over time can tell you that when spammers find you, they go to 
extremes to get their job done. Spam attacks are common, but that doesn’t 


mean you have to lie down and not worry about them. 


During a spam attack, the spammer will connect to your mail server and try 
sending to a list of names, words, possible aliases, and just about everything 
they can muster in their kitchen sink. These attacks can go for days, and your 
logs will fill with all sorts of crap. One Piratefish user saw over 1 million emails 
in a day, with only 400 legitimate messages. While this kind of volume isn’t 
normal for a small organization, it’s not uncommon for attacks like this to 
happen at night or weekends when they’d go unnoticed. 


The iptables firewall has the ability to remember and block certain source IP’s if 
they reach certain thresholds during normal email operations. This update is a 
little more complex than most, but it's got some nice evil roots to it. 


This update makes the iptables firewall in your Piratefish keep track of the 
various connections coming into it, and if the same IP address connects more 
than 4 times in a single minute, it gets blocked for any further connections until 
less than 4 connection attempts have occurred in the last minute. 
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This update is a tad bit controversial as it's possible that it could result in a mail 
delivery slowdown with an external email source - if that external source is 
sending too many separate messages. This could result in a delay of delivery if 
something important is expected, or if you have a lot of folks dealing with large 
common email domains like Yahoo, MSN, Hotmail, GMail and the like. 


So, controversy aside, this addition is purely optional and recommended only 
for more technical users. 


1. Goto Webmin -> Networking -> Linux Firewall 


2. Delete the port 25 SMTP rule we cloned up earlier in this section — 
check the checkbox next to it in the policy, then click on the 
Delete Selected | button. 


Now click on the} Apply Configuration | button. 


3. Open a root prompt window and paste into it the following four lines: 


iptables -A INPUT -p tcp --dport 25 -i ethO -m state --state NEW -m recent -set 
iptables -A INPUT -p tcp --dport 25 -i ethO -m state --state NEW -m recent --update -- 
seconds 60 --hitcount 4 -j LOG --log-prefix "BLOCK: " 

iptables -A INPUT -p tcp --dport 25 -i ethO -m state --state NEW -m recent --update -- 
seconds 60 --hitcount 4 -| DROP 

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j) ACCEPT 


Note that there are four lines displayed above each starting with the 
iptables command — due to space constraints these lines appear 
wrapped. Copy and paste them directly from this page into a putty SSH 
session, or paste them into a non-wrapping text editor first to ensure 
there are four lines of code. 
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4. When these four lines are added to the running firewall policy, they are 
added to the bottom of the firewall policy. In order to make them work 
correctly a few more steps are required. 


5. Return to the Webmin gui, and go back into the Linux firewall page. 


6. Atthe bottom of the page, find the | Revert Configuration | button on 


the bottom of the page and click on it. 


This will now load in the rules you’ve added and display them as they 
are currently listed in your policy. 


7. The four additional rules were added to the bottom of your firewall 
policy — these need to be relocated so that they’re below the SSH line, 
just like the cloned rule we added previously. 


Using the gray arrows, move each of the four lines up into place. 


The end result should look like this: 


Action Condition Move Add 

Accept If input interface is not ethO + sft 
Accept If protocol is TCP and TCP flags ACK (of ACK) are set +f AT 
Accept If state of connection is ESTABLISHED +t 17 
Accept if state of connection is RELATED +t 1T 
Accept If protocol is UDP and destination port is 1024:65535 and source port is 53 Vt 417 
Accept If protocol is ICMP and ICMP type is 0 +t AT 
Accept If protocol is ICMP and ICMP type is 3 +t 17 
Accept If protocol is ICMP and ICMP type is 4 Aas 
Accept If protocol is ICMP and ICMP type is 11 UT 4T 
Accept If protocol is ICMP and ICMP type is 12 +t 17 
Accept If protocol is TCP and destination port is 22 +t 1T 
Do nothing If protocol is TCP and input interface is eth0 and destination port is 25 and state of connection is NEW vt AT 
Log packet If protocol is TCP and input interface is eth0 and destination port is 25 and state of connection is NEW +t 17 
Drop If protocol is TCP and input interface is eth0 and destination port is 25 and state of connection is NEW +t 1T 
Accept If protocol is TCP and destination port is 25 and state of connection is NEW +t 17 
Accept If protocol is TCP and destination port is 113 +t AT 
Accept If protocol is ICMP and ICMP type is 8 +t AT 
Drop If protocol is TCP and destination port is 2049:2050 +t AT 
Drop if protocol is TCP and destination port is 6000:6063 +t 1T 
Drop If protocol is TCP and destination port is 7000:7010 +t 47 
Accept If protocol is TCP and destination port is 1024:65535 LT 


8. Once you are done moving the rules into place, click on the 


Apply Configuration | button. 


9. Now that the policy is setup, it’s important to reboot and test the 
changes. 


Go to Webmin -> System -> Bootup and Shutdown -> Reboot System 
and reboot the system. 


10. Once the system as completed its reboot, send a test message as usual. 
Everything should function as expected. 


Also perform full management access tests and an apt-get update to 
make sure that all firewall functions are working. 


11. To see what this change does to spammers, we need to perform some 
faster testing. To perform fast testing in this case, sending a complete 
email message is not required. Just connecting and disconnecting is 
enough to test the rule. 


Using the same external system you use to test in Chapter 5, telnet to 
your Piratefish server on port 25 (as shown in Chapter 5) and then issue 
the command quit to immediately disconnect. 


Do a few of these within a minute, and you’ll enjoy the results. 


This modification is straight forward, but it makes the spammers work much 
harder to try and attack your systems. Remember that regular email systems 
try very hard to deliver messages — so delays, unreachable destinations and 
other speed bumps are par for the course. Spammers have a lot of work to do, 
and don’t always have the massive resources needed figure out why some 
messages don’t get delivered, also, their soam-bots might not be terribly RFC 
compliant either, so they might fail, retry and give up entirely, where a real 
email message can be held for days waiting to get delivered. 
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Chapter 17: Adding Bayesian Filtering 


By the time you’ve reached this chapter, your Piratefish server will hopefully be 
fully operational, and blocking a decent percentage of your spam. Right now it 
stops anything that's blacklisted or blatant spam. Spammers get paid to deliver 
their messages, so they work hard to find ways around and through your 
protection. At this point, some messages have probably gotten through. 
Optimally, you should have kept copies of these messages as well. 


The SpamAssassin daemon used in the Piratefish has a feature called Bayesian 
filtering. Bayesian filtering learns how to tell good email (known as ham) from 
bad (known as spam) with your help. Because Bayesian filters must be taught 
what is good and what is bad, ham from spam, it's necessary to build collections 
of both good and bad emails, and then feed them into the fish's spamassassin 
program so it can learn. At least 200 hams and 200 spams must be prepared for 
fish training, and to be fed into the fish, they need to be stored in a standard 
MBOX mailbox format. 


Getting the files into an MBOX format can be a bit difficult. One method I’ve 
recently found is to use the Thunderbird email client to import your messages 
from Outlook, then move the spam and ham messages into folders within 
Thunderbird, then find the disk files where those mailboxes are stored — then 
upload those into your Piratefish. For more details, see the section in the 
Appendix titled Getting messages into MBOX format. 


Before doing any training, it's important to configure the MailScanner 
Spamassassin configuration file so that it knows what entries it can ignore 
during the learning process. Not setting this could miss-classify emails - and you 
don't want that. 


1. Goto Webmin -> Others -> File Manager 


2. Type /etc/MailScanner into the path area and press enter. 
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Highlight the file spam.assassin.prefs.conf with a single click and click 
on the Edit icon on the top toolbar. 


Within the file, find a group of lines that look like this; 


bayes_ignore_header unconfigured-debian-site-MailScanner 
bayes_ignore_header unconfigured-debian-site-MailScanner-SpamCheck 
bayes_ignore_header unconfigured-debian-site-MailScanner-SpamScore 
bayes_ignore_header unconfigured-debian-site-MailScanner-Information 


Edit these lines and place the name of your mail server in place for the 
words unconfigured-debian-site. How this will appear will depend on 
your full domain name. For the Piratefish server named 
piratefish.piratefish.org, it would look like this; 


bayes_ignore_header piratefish.piratefish.org-MailScanner 

bayes_ignore_header piratefish.piratefish.org-MailScanner-SpamCheck 
bayes_ignore_header piratefish.piratefish.org-MailScanner-SpamScore 
bayes_ignore_header piratefish.piratefish.org-MailScanner-Information 


Adding headers for your own mail server is also recommended. Keep in 
mind that spams that get through will be delivered to your mail server 
and later be brought back to this server for training, so telling it to 
ignore your systems’ headers is a good idea. Adding a couple of lines to 
include your systems is recommended. 


bayes_ignore_header mail.piratefish.org 
bayes_ignore_header relay.piratefish.org 


Once you are done editing this file, click on the Save & Close button, 
then reboot your Piratefish server. 


You are now ready to train your Piratefish. 
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To continue from this point, you'll need to copy into your fish the two mailbox 
files - one that contains spam (bad emails) and one that contains ham (good 
emails). This is a good time to practice using scp as introduced in Chapter 2. 


It's very important to get good samples of both good mail and bad mail, because 
without them, the fish won't be able to tell good from bad — and this can result 
in false alarms or worse. Up until now, the fish has been Bayesian ignorant — 
this section will change that for the better, and the difference will be noticeable. 


After copying the files into your Piratefish server, they should ideally be named 
spam and ham. This command will train your server about the spams you’ve 
uploaded: 


sa-learn --showdots -p /etc/MailScanner/spam.assassin.prefs.conf --mbox --spam /root/spam 


SpamAssassin will now read the file in, printing dots along the way, and when 
it’s done it will tell you how many messages it read. Now your Piratefish knows 
what spam looks like, but it doesn't know what good email looks like, so let’s 
feed it your ham: 


sa-learn --showdots -p /etc/MailScanner/spam.assassin.prefs.conf --mbox --ham /root/ham 


Once more, as the fish learns it prints dots as it goes, and prints out its results 
when it’s done. 


This should be all that's needed to get the Bayesian filter working in 
SpamAssassin. At this point it's a matter of time to see what makes it through 
and doesn't. It’s a good idea to teach the Piratefish more with more spam and 
ham files on a regular basis. Be sure to rename your spam and ham files to 
include the date they were uploaded. 


If you make the mistake in Bayesian training (like feeding spam to the ham 
learn), or vice-versa, you can type: 
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sa-learn —clear -p /etc/MailScanner/spam.assassin.prefs.conf 


This will wipe out what the filter knows. If you do this, you’ll have to start the 
training over from the beginning — which is why you should keep all the training 
files handy. 


For a more in-depth read about how the SpamAssassin Bayesian filter works, | 
recommend reading this web page: 


http://wiki.apache.org/spamassassin/BayesInSpamAssassin 
http://wiki.apache.org/spamassassin/BayesFaq 


For those of you who are more adventurous, in the /etc/MailScanner folder on 
your Piratefish server, there's a file called spam.assassin.prefs.conf - read 
through this as more tuning options could exist for you. Remember that Google 
is your friend when making changes. 


From this point on, you might want to implement a method to get the spams 
and hams into your Piratefish so you can teach it on a continuing basis. 


The following section describes one way to accomplish this using IMAP. If this is 
unsuitable for your needs, search Google for SpamAssassin Bayesian training. 


Drag and Drop Bayesian Filter Programming 


This method of Bayesian programming uses an IMAP client on your Piratefish 
server to copy emails from folders on your mail server. This has been tested 
successfully in a Microsoft Exchange environment, and I've had a good run with 
it in Linux server environments as well. 


Also, for another change of pace, I'm providing ready-to-use scripts as well, so 
there will be less editing for those of you wanting to do this! 


1. Create a new user on your mail server - call it "spaminator" or 
something else - be creative. Assign it a password as well. 
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For this example, the user spaminator was created with the password 
spaminator5 


Add this account to your desktop email client, but be sure to treat it as 
IMAP - not as POP3/SMTP. This is important so as to keep the messages 
on the mail server. Everyone else who uses this account will need to use 
IMAP with it as well. 


Once you can reach the account from your mail client, go ahead and 
create two folders in the mailbox using your mail client - one called 
Spam and one called Ham - or call them anything you like. Case matters 
here too, and each folder must be uniquely named and exist at the top 
level within the folder. 


On the Piratefish server, log in as root to the console (or SSH in) and 
execute the following command: 


weet http://www. piratefish.org/wp-content/uploads/ddbayes-setup.sh.gz 


Note, this file will be compressed — type in this command to unpack it: 
gunzip ddbayes-setup.sh.gz 


Run the script by typing in the following: 


chmod 755 ddbayes-setup.sh 
./ddbayes-setup.sh 


When running this script, be ready to answer the following questions: 


The name (or IP address) of your IMAP mail server 
The account name used for Bayesian Learning 
The account password 

The Spam folder name 

The Ham folder name 


When this setup script is run, it will create the files needed to run 
fetchmail and install fetchmail if it's not already installed on your 
Piratefish server. 


To test, copy some ham into the ham folder for the spaminator user, then move 


or copy some spam into the Spaminator Spam folder as well. 


Remember that this system removes the email from these mailboxes, so it's 
critical that no important messages are moved into the Ham box - copy them 
in - moved mail will be deleted at training time! 


Once you've loaded the directories using your mail client, type the following at 
the Piratefish command prompt: 


./autolearn.sh 


Your screen will display some activity as the Spams and Hams are loaded, one at 
a time, from the account and learned. 


Once installed, this script will run automatically every hour. 


If you run into problems and want to stop running this script every hour, just 
remove the file /etc/cron.hourly/autolearn.sh - this will remove the link that 
makes the script run every hour. 


Multiple users can use the same IMAP account easily, with each person adding 
spams and hams as needed. Dragging and dropping the messages ensures that 
the message headers aren't appended or modified, ensuring good programming 
of the SpamAssassin Bayesian filter. 
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Chapter 18: Sender Policy Framework 


The Sender Policy Framework (SPF) is a system designed to prevent people from 
sending emails while hiding their true identities. If you have seen a Phishing 
email that comes from accounts@ebay.com or perhaps a large bank, and the 
message contains links to some password collecting site that looks like eBay or 
perhaps a legitimate Internet Banking site, then you know how serious these 
types of messages are, and how common they are. 


As you might remember in our testing in Chapter 5, we made the Piratefish 
think that a message was coming from someone@aol.com. Phishing has come 
about primarily because it’s easy to impersonate other people or companies on 
the Internet. The SPF system helps to mitigate the problem by providing 
domains a way to declare their trusted mail sources. 


Note that SPF is not a perfect solution — it merely helps control the problem for 
those people who truly worry about phishing. If everyone embraced SPF, there 
would be a lot less spam in general. 


The need for SPF controls is clear. The original email RFC’s didn’t take into 
account the possibility that email would need to become a trusted medium as it 
is today. SPF has been recognized as a method to help mitigate email fraud, and 
was defined in RFC 4408. All major anti-spam appliances now have support for 
SPF as well. 


SPF must be setup in two places for you to take full advantage of it. First, your 
own DNS records need to be modified to include the SPF information for your 
domains. Second, you need to setup your Piratefish to perform SPF checks on 
incoming messages. 


Defining your SPF DNS records 


The best place to obtain this information is through openspf.org - they have an 
online tool to help define your SPF DNS record and they have extensive 
explanations on how to setup SPF records for your domain there. They have 
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instructions for users of Bind and Microsoft DNS there, and this covers most of 
the DNS sources found on Internet. 


In order to create an SPF record, you need to determine what IP addresses will 
be sending out email in the name of your organization. Your Piratefish may well 
do this is if you setup 2-way email relaying. The email server you forward your 
email into will probably need to be listed also. Any other systems such as 
monitoring systems, IDS, Web Servers, E-Commerce sites, Etc. that can generate 
email may also need to be listed. 


Also remember that it’s important to not list internal IP addresses in your SPF 
record. If your mail servers’ internal IP address is 10.0.0.6, there’s no need to 
put that in your SPF because hopefully nobody outside your network can see 
that IP address. 


SPF in testing mode 


Here’s an example of how the syntax works. In the case of Piratefish.org, | could 
have a mail server named “exchange.piratefish.org” at IP address 17.16.15.10 
and a Piratefish server called “piratefish.piratefish.org” at IP address 
17.16.15.12. 


If only the “exchange.piratefish.org” server was used to send outbound email, 
my SPF record would look like this, all on one long line: 


v=spfl mx ~all 


Unfortunately, life isn't always this simple. What if the Piratefish is setup to 
bounce an infected message? It needs to be listed too. The SPF for this would 
look like this: 


v=spfl ip4:17.16.15.12 mx ~all 


If some Evil Phisherman at IP address 63.214.34.50 was to try sending emails as 
me and my SPF record is in place, and the receiving mail server checks to see 
who’s allowed to send email in the name of Johnny@piratefish.org, it'll see that 
this email is a fake and not deliver it. 
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Setting up a proper SPF record isn’t easy, and the folks who have the tool setup 
for this have done a good job, but it still needs humanizing. 


Making SPF Work 


Both of the example SPF records I’ve shown so far are a good start, but they do 
lack teeth. The "~all" at the end of the SPF record tells anyone asking that "I'm 

in testing mode." SPF record checking will not throw away messages that are in 
violation of these SPF records. 


To switch SPF from testing to enforcement, you need to change from the "~all" 
toa "-all". Once this is changed, anyone asking will get the final word, and are 


compelled to not accept messages violating the SPF record. 


This doesn't solve the largest problem however, making the rest of the world 
RFC 4408 compliant. In order for SPF to work best, all email systems on the 
Internet must at some point become compliant with SPF — this is unlikely to 
happen as not nearly enough people spend the needed time to make it work. 


Larger organizations have taken the time to create and maintain their SPF 
records, so SPF checking is a good idea and worth the trouble. 


Adding SPF checking to your Piratefish server 


Adding in checking will require some manual editing of the configuration files in 
your Piratefish, making this one of the most complex configuration changes you 


will make. 


1. Log into your Piratefish server as root 


2. Enter the command CD /etc/postfix and press enter 
This should change you into the /etc/postfix directory 

3. Type wget http://www. piratefish.org/spf-policy.txt 
and press enter 
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10. 


11. 


The system will go online and download the file spf-policy file 


Type mv spf-policy.txt spf-policy.pl 


This moves the file from a text file type to a perl file type. 


Type chmod 755 spf-policy.pl 


This makes the script executable. 


Log out from the Piratefish and return to Webmin GUI. 


Webmin -> Others -> File Manager 


In the File Manager, go to /etc/postfix 


Highlight the file master.cf and click on the Edit icon. 


Cd 


Edit 


Enlarge the pop-up editing Window and scroll down to an area that 


looks similar to this: 


discard unix - = = = = discard 
local unix - n n - - local 
virtual unix - n n - - virtual 
imtp unix - - - - - imtp 
anvil unix - = = = 1 anvil 
scache unix - = = = 1 scache 
# 


# Interfaces to non-Postfix software. Be sure to examine the manual 


# pages of the non-Postfix software to find out what options it wants. 


Note: The spfpolicy line can be inserted anywhere in the file, so don't 


worry. 


At the bottom of this table within the file as shown, we need to adda 


single line like this: 
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imtp unix - - - - 
anvil unix - - = coal 
lscache = unix - - - - 
lspfpolicy unix - n n - 
# 


imtp 

anvil 

scache 

spawn user=nobody argv=/usr/bin/perl /etc/postfix/spf-policy.pl 


3g seessesssss=====: easeesss5555555======: sass====: sasssss==2=== 
# Interfaces to non-Postfix software. Be sure to examine the manual 
# pages of the non-Postfix software to find out what ontions it wants. 


The text you’re adding should be on one line, with tab’s creating the 
wide white space. It reads like this; 


spfpolicy unix <- n n 7 7 spawn 
user=nobody argv=/usr/bin/perl /etc/postfix/spf-policy.pl 


Once this is added, click on the} Save & Close | button. 


12. Now highlight main.cf and click on the Edit button. [J 
Edit 
13. At the bottom of the file, add the following lines: 


smtpd_ recipient restrictions = 
permit _mynetworks 
reject_unauth_destination 
reject_unknown_ recipient domain 


reject_unverified recipient 
check policy service unix:private/spfpolicy 


Ineader_ checks = regexp:/etc/postfix/header_checks 
relay_recipient_maps = hash:/etc/postfix/relay recipients 


smtpd_recipient_restrictions = 
permit_mynetworks 
reject_unauth_destination 
reject_unknown_recipient_domain 
reject_unverified_ recipient 
check_policy service unix:private/spfpolicy 


Click the | Save & Close | button. 


The directive permit_mynetworks is required to enable mail relay from 
trusted networks. 


The directive reject_unauth_destination will reject a message unless it’s 
being delivered to someone correct for your configuration. 
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14. 


15. 


16. 


The directive reject_unknown_recipient_domain will reject a message 
being delivered where the user is someone @ip-address if the domain of 
the sender doesn’t exist. 


The command reject_unverified_recipient will reject messages that are 
undeliverable. 


The command check_policy_service unix:private/spfpolicy will invoke 
the SPF perl script you’ve just installed, and check the message to see if 
the senders SPF records exist and or match. 


With these rules in play, mail will be SPF checked. Mail from domains 
without SPF records will still be delivered, but fraudulent messages 
coming in from those domain owners who have specific SPF policies to 
stop them, will be blocked. 


Need to perform fix for mail query add in 


perl -MCPAN -e shell 
Install Mail:SPF:Query 


Reboot the server and test your changes. 
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Chapter 19: FuzzyOcr Spam Detection 


Bayesian filtering and blacklisting do have their limits. One method used to 
bypass these tools is the use of an image containing an advertisement. This 
method can deliver spam by showing you the email equivalent of billboards — 
and these spams evade being read and scored by SpamAssassin. 


These types of messages are called "image spam" - they contain a single image 
attachment that contains the spam message itself. These spams can get 
through the Piratefish because it can't look at the image to see if the image 


contains spam. 


To defend against these spams a few modules are needed. One to decode the 
images, one to perform OCR (optical character recognition) on the image to find 
all its displayed words, and then finally one to perform fuzzy word matching to 
see what words are within the image and decide on the spam status. 


SpamAssassin fortunately has a number of plugins that can add features - and 
FuzzyOcr is one of those plugins. 


Adding FuzzyOcr image spam detection to the Piratefish 


1. Log into your Piratefish server as root 
2. Type apt-get install fuzzyocr and press enter. 
3. Reboot the Piratefish server. 
Webmin -> System -> Bootup & Shutdown -> Reboot 


4. Test the mail server as usual. 
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Testing FuzzyOcr 


Once FuzzyOcr is installed and the server has been rebooted, it's time to test it. 
To facilitate this, the author of FuzzyOcr has included some test files to help you 


test your setup. 


1. Log into the Piratefish as root 
2. Type cd /usr/share/doc/fuzzyocr/examples and press enter. 
3. Now type Is —la and press enter. 


You will see a list of files — these .eml files are actually email message 
files that contain embedded images just the way a mail server would 
receive them — complete with image encoding and minimal content, just 


like a real image spam message. 


ocr-animated.eml 
ocr-gif.eml 
ocr-jpg.eml 
ocr-multi.eml 
ocr-obfuscated.eml 
ocr-png.eml 
ocr-wrongext.eml 
README 


Lets now read the README file, type less README and press enter. 
This will load the less reader, and you can scroll the file up and down to 


read its contents. Press the escape key once you're done to return to 


the command prompt. 
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4. Tosend atest file through spamassassin, type the following: 


spamassassin -t < ocr-multi.eml and press enter. 


Now, in reality, this is how the test should ideally be run: 


spamassassin -t < ocr-multi.eml -p /etc/MailScanner/spam.assassin.prefs.conf 


Testing with the —p option makes sure that we’re testing using the same 
settings that MailScanner uses when it calls SoamAssassin. 


This test will invoke SpamAssassin and tell it to process a local file, and 
output the email to the console screen. Doing this creates a screen full 
of output not meant for human eyes, but at the very end of the file, 
something interesting can be seen: 


As can be seen here, FuzzyOcr was invoked, it read the image in the eml 
file, and it found a enough bad stuff to call this message spam. 


5. Step 4 can be repeated with the other test files as desired. 
FuzzyOcr Words List Editing 


FuzzyOcr comes with a sample words file that catches many common image 
spams. This file is not perfect as it might miss things depending on what words 
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are used in your incoming spam. The word list that comes with FuzzyOcr can be 
edited and expanded as needed. 


If you find picture messages getting through your Piratefish, adding in unique 
words from these messages to the FuzzyOcr.words file should stop these picture 
messages from getting through. 


Users of this feature in foreign countries should edit this file so that it contains 
unique spam-common words found in your native language. The default English 
language file should be sufficient for most users. 


To edit the word list, do the following: 


1. Webmin -> Others -> File Manager 


2. Enter /etc/spamassassin into the path and press enter. 


3. Highlight the file named FuzzyOcr.word and click on the Edit 
button. 


Edit 


4. Add whatever words are deemed necessary to the file in the 
appropriate section. 


Note: On some words, you will notice that there are extra characters 
after some words — these are score overrides that modify the score of a 
particular word. If you are curious about how this works, read the file 
/etc/spamassassin/FuzzyOcr.cf from the root prompt. 


5. Click onthe} Save & Close | button when done. 
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Chapter 20: Using Postgrey to add automatic greylisting 


It is recommended that this feature only be used under desperate high-volume 


situations. If you receive less than 20,000 messages per day or if you need to 
receive 100% of all mail for every delivering attempt, this feature is not for you. 


Greylisting fools impatient mail server systems into thinking that your email 
address is no longer valid. When mail can't be delivered under normal 
circumstances, error messages are produced with error numbers in the 500 
range. When mail can't be delivered under unusual circumstances however, a 
400 range message is produced. 


Postgrey is a greylisting policy server for Postfix, and when emails are checked it 
records the senders IP address, whose sending the message, and the recipient. 
If these three items have never been seen before, or only seen within the last 5 
minutes, then the message is rejected with a temporary error in the 400 range. 
If the same combination is seen after 5 minutes and before 35 days, the 
message is allowed through. 


What’s clever about this is that it requires all email to be fully RFC compliant - 
and RFC's dictate that if an email gets a temporary error, the server should hang 
onto the message and try delivering it a little later. Because spam is a volume 
business, and greylisting adds a 5 minute delay to delivery, this delay can slow 
them down or even clog their ability to deliver messages to you. To make things 
more interesting, by the time a high-volume spammer actually tries to deliver 
this message again, with luck, their server may already be blacklisted. 


Another boon to this feature is that spammers can be some of the worst 
offenders when it comes to following the RFC's for delivering messages - and 
those spammers who don't take extra effort to deliver their messages with full 
RFC compliance might not try delivering again ever. 
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To install Postgrey: 


1. Log into the console of your Piratefish as root. 


2. Type "apt-get install postgrey" and press enter. Acknowledge the 
changes for the installation. 


3. Once the installation is complete, At this point you've not added the 
Postgrey daemon into your Piratefish, but until you modify the Postfix 
configuration, Postgrey will not be used. 


To add Postgrey processing into Postfix: 


1. Goto Webmin -> Others -> File Manager 
2. Enter /etc/postfix into the path and press enter. 
3. Click once on main.cf and press enter. 


4. Atthe bottom of the file, just above the check_policy line for SPF, add in 
the following line so that it looks like this when complete: 


check_policy_service inet:127.0.0.1:10023 
relay_recipient_maps = hash:/etc/postfix/relay recipients 


smtpd_recipient_restrictions = 
permit_mynetworks 
reject_unauth_destination 
reject_unknown_recipient_domain 
reject_unverified_recipient 
check _policy service inet:127.0.0.1:10023 
check _policy service unix:private/spfpolicy 


5. Once this is complete, save the file, and reboot your Piratefish. 


6. Test the Piratefish per chapter 5. 
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Chapter 21: Installing MailWatch (BETA!) 


MailWatch for MailScanner provides a number of enhanced additions for 
managing the MailScanner portion of your Piratefish server. It provides the 
ability to manage the mail queues, has detailed drill-downs into the mail 
operations, and provides management capabilities for your mail system that are 
not found in the default Piratefish installation. 


MailWatch uses SQL databases to store information about what’s going on in 
your Piratefish. If your Piratefish system was built on older or slower hardware, 
or has troubles keeping up with its workload, you might not want to install 
MailWatch. 


If your system has the resources to support it, the additional management 
features are worth the troubles. It is recommended that your Piratefish has at 
least 1 gigabyte of RAM and 20-30 available gigabytes of free disk space. 


Higher volume systems should ideally have even more space. 


Unlike other integrations explained in this book, MailWatch will require the 
reader to configure some rather complex items — these include Apache, MySQL 
and PHP. This combination as often referred to as “LAMP” — short for 
Linux+Apache+MySQL+PHP. As this is a more technically demanding type of 
integration, this will be performed mostly from the Linux command line. 


One final item to note, if your Piratefish is not behind a tightly controlled 
firewall, then | recommend that you re-consider this setup. | do not want to be 
responsible for the security of Piratefish setup using this if you’re permitting the 
outside world to connect to your databases or management GUI’s. Be darn sure 
that ports 10000, 3306, 443, 80 and 22 are not publicly accessible on your 
Piratefish when this is all done. The fewer ports that you expose to the world, 
the better for you it will be. | will try to keep things as secure as possible, but | 


can make no guarantees. 


In other words, if you don’t lock your doors, expect unwanted visitors. 


112 


Please note that these instructions have been adapted from the MailWatch 
provided instructions found on http://mailwatch.sourceforge.net. They have 
been adapted to PHP5S as well. 


Proceed at your own risk — this 
section is not 100% proven yet! 


A note about prerequisites and package managers... 


In many Linux setups, there are dependencies — these are things that need to be 
included in the system before software can be run. You might remember in 
Chapter 2 of the Piratefish, when you entered the apt-get install command, that 
just a few packages had some 50 dependencies to install — that’s 50 large-scale 
items that you didn’t have to manually specify or install by hand. This easy 
groundwork is a feature of the package management systems built into most 
Linux OS’s, however, not all packages have been included into the package 
managers yet — and MailWatch is one of these. 


What this means is that the process of installing MailWatch will require us to 
install some things before it will work. Fortunately, those pre-requisite 
programs ARE available through the package manager, so it’s not that difficult 
of a setup. 


The pre-requisites for MailWatch are MySQL, Apache and PHP. 


1. Enter the command: 


apt-get install apache2 php5-cli libapache2-mod-php5 mysqlI-client 
mysql-server libdbd-mysql-perl php5-gd php5-mysql 


This will begin the process of downloading and installing Apache, PHP, 
MySQL, the DBD connector and all the associated bits they require to 
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work. 


2. Atsome point during the installation, you will be prompted for your 
MySQL server password — this password will be for the root user of your 
MySQL installation. It is desperately important that you set this 
password to something good. 

Additionally, losing this password can have dire complications so it’s 
vital that you don’t lose it either. Be sure to write it down. 


Once the MySQL password is entered, the installation should complete 
without any further interruptions. 


3. Once the installation is complete, go into your Webmin GUI and 
perform an upgrade on Webmin as well. This will ensure that all the 
proper management bits are installed in Webmin. 


Navigate to Webmin -> Webmin Configuration and click on aS 
the Upgrade Webmin icon. Upgrade Webmin 


4. Click onthe} Upgrade Webmin | button. 


Module Index Upgrade Webmin 


Upgrade Webmin New module grants Update modules Scheduled update 
This form allows you to upgrade your entire Webmin installation to a new version by upgrading its Debian package. You can 
install from a local .deb file, an uploaded file or from the latest version at www.webmin.com. Just as with a manual upgrade 
all your config settings and third-party modules will be kept 


Upgrade Webmin 


From local file - } 
From uploaded file Browse_ 


From ftp or http URL 


®@ Latest version from www.webmin.com 


] Upgrade even if new version is the same or older? 
Disconnect all other users? 


Upgrade Webmin 


Once this is done, the new version will be automatically available — no 
reboot is necessary. 
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10. 


Navigate to Webmin -> Webmin Configuration and click on 
the Webmin Modules icon. ad 


Webmin Modules 


Click on the radio button next to Standard module from 


www.webmin.com and then click on the] ... | button and choose 


Apache from the popup list that appears. 


Module Index Webmin Modules 


Install Clone Delete Export 
Webmin modules can be added after installation by using the form to the right. Modules are typically distributed in .wbm 
files, each of which can contain one or more modules. Modules can also be installed from RPM files if supported by your 
operating system 


Install Module 


Install from From local file (cca 
From uploaded file 
© From ftp or http URL 
® Standard module from apache 
www.webmin.com 
Third party module from as 


Ignore ) Yes @ No 
dependencies? 


Grant access to @® Grant access only to users and groups : root 


Install Module 


Grant access to all Webmin users 


@ Return to Webmin configuration 


Once this is selected, click on the | Install Module | button. 


Now click on the Return to modules form link. 


Now repeat steps 6 & 7 of this section, however choose the mysql 
plugin from the list instead and install it. 


Repeat steps 6 & 7 once more, choosing the phpini plugin and install it. 


Now find the link on the left-hand side of the Webmin window titled 
Refresh Modules and select it. & Refresh Modules 
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11. Navigate to Webmin -> Servers and note that new sections are added 


for Apache and MySQL. 


Navigate to Webmin -> System and note that a new section for PHP has 
been added. 


Editing PHP.INI 
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t. 


From the Piratefish console logged in as root, navigate to the PHP setup 


directory. 

Enter the command cd /etc/php5/apache2 

Enter the command pico php.ini 

This action will enter into a text editor called Pico, and edit the file that 
controls how PHP works. If you make a mistake, press control+X, do not 


save changes, and start over. 


Press Control+W to perform a search. Type extension= and press the 
Enter key. 


This performs a search for one of the modules that PHP needs activated 
to run MailWatch. 


Using the arrow keys, move to the bottom of that section, to the blank 
line between the comments and the Module Settings area. Press Enter 
to add more blank lines. 


Add the following two lines exactly as shown: 


extension=mysql.so 


extension=gd.so 


5. Now press Control+X then press Y and then press Enter a couple of 
times. 


The file will be saved and Pico will close. 


Downloading the MailWatch 
MailWatch can be found on the SourceForge website at this URL: 
http://mailwatch.sourceforge.net/doku.php 


Note that if this URL changes, simply search Google for MailWatch and obtain 
the package that way. 


To download this directly using a text-mode web browser on your Piratefish, 


follow these steps: 


1. Enter the command apt-get install links 


This will install the links browser into Ubuntu. You will be able to 


browse the web from any text console using this utility. 

2. Before launching Links, it’s important to switch to your home folder. 
Enter the command cd alone, and this should switch you to your home 
folder. If you are logged in as root, this folder will be /root. 

To see what folder you’re in, enter the command pwd. This will show 
the current location in the file system you reside. This is important 


because Links will download to the current folder in the next steps. 


3. Enter the command links http://mailwatch.sourceforge.net 
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4. When links first loads, a dialog box will appear —just press the spacebar 
to dismiss it. 

5. Using the down arrow, point the cursor to Download and press Enter. 

6. The next page will load with the word here highlighted — press Enter 
again. 

7. Using the arrows once again, move the cursor down until it points to 
something that says something like Download Now! mailwaitch- 
1.0.5.tar.gz and press Enter, choose to save the file, press enter again, 
and wait for the download to complete. 

8. Once the download has finished, quit out of links by pressing the q key 
and then pressing Enter. 

Installing MailWatch 


Up until now, the system has just been getting ready for the installation — now 


the fun begins. 
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i. 


Enter the command cd /usr/local/src 


This switches to a folder that’s a good place to put local copies of source 
code on your system. 


Enter tar —zxvf /root/mailwatch and press the Tab key. The console 
should complete the rest of the command for you - and this will change 
depending on what version of MailWatch you have downloaded. 


Press enter to run this command — you will see it unpack for you. Once 
done, enter the Ils command to see the new folder that’s been added. 


Enter cd mail andpress the Tab key to complete the command and press 
enter. 


Enter the command mysql -p < create.sq| 

You will be prompted for the MySQL root password — enter it. 

This process launches MySQL and processes the commands in the 
create.sql script. If you want to look at this script, type more create.sql 
and you can read the code, page by page. SQL is fairly readable as 
database languages go, which is why MySQL is so popular. 

Now we’re going to setup the user and password for the MailScanner 
database itself. This requires that we go into MySQL interactive mode — 
this is some weird stuff, but don’t worry — it’s hard to make a mistake 
here. 

Enter the command mysql -p 

Enter the MySQL root password. 


Enter the command 


grant all on mailscanner.* to mailwatch@localhost identified by 
‘password’; 


Be sure to replace password with your password. Make sure that all 
quote marks and the semi-colon are intact as well — they are required! 


Once this has been done, enter the command quit. 


Enter the command pico MailWatch.pm 
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In this file we need to hard-code the username and password used to 
access the MailWatch database stored in MySQL. We are going to first 
modify the file, then move a copy of it into the correct location. 


Using the arrow keys, scroll down the file until you find an area that 
looks like this: 


# Modify this as necessary for your configuration 
my(S$db_name) *mailscanner’ ; 
my(S$db_host) localhost’; 


my ($db_user) 
my($db_pass) 


Using the editor, change the db_user line and replace root with the 
word mailwatch appears as mailscanner. 


On the db_pass line, between the quotation marks, place in the 
password that was setup previously in step 5. 


This section should look something like this: 


# Modify this as necessary for your configuration 
my (Sdb_name) *mailscanner’ ; 
my ($db_host) *localhost’; 


my (Sdb_user ) *mailwatch’ ; 


, aa x. 


my (Sdb_pass) 


7. Press Control-X, then press Y and press Enter to save and close out of 
Pico. 


8. Now we'll copy the file into the proper MailScanner location to add this 
function to MailScanner. 


Enter the command: 


cp MailWatch.pm /usr/share/MailScanner/MailScanner/CustomFunctions 
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Once this is done, the MailWatch.pm file, when read by MailScanner, 
will log vital message information into the SQL database. This setup can 
be expanded to add multiple Piratefish into a single database — and that 
database could even be setup on a separate server, depending on your 
scaling requirements. 


9. Now we will create a web user that can log into the MailWatch console 
once it’s created. 


Enter the command: 


mysql mailscanner —u mailwatch —p 


You will be prompted to enter a password — enter in the mailwatch 
password created in step 5. 


Now enter the SQL command: (enter as one line) 


insert into users values 
(‘mailscanner’,md5(‘password’),’mailscanner’,’A’,’0’, ’0’, 0’, ’0’, ’0’); 


If done correctly, you will be greeted with “Query OK, 1 row affected”. 


Enter quit to return to the shell. 


10. Enter the command cp -R mailscanner /var/www 


This will copy the mailscanner folder and all it’s contents into the 
/var/www folder. 


11. Enter the command cd /var/www/mailscanner 
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12. 


13. 


14. 


15. 


Enter the command chmod g+w temp 


This gives the group write permissions to the temp folder. 


Enter the command chmod ug+rwx images 
Enter the command chmod ug+rwx images/cache 


These give the user and group read, write and execute permissions on 


the images and images/cache folders. 


Enter the command cp conf.php.example conf.php 


This creates a copy of the conf.php.example file that we can modify for 
MailWatch. 


Now we need to edit the conf.php file and modify it so that it knows 
how to read the database. 


Enter the command pico conf.php 

Press Control-W and type mysql and press Enter. 
You will see a section like this: 

ddefine(’ DB_TYPE’, ‘mysql ); 


('DB_USER’, ‘root’); 
(’ DB_PAS ys 


(’ DB_HO ‘localhost’ ); 
(’DB_NAME’, ‘mailscanner’ ); 
('DB_DSN’, DB_TYPE.’:77’ .DB_USER.”:".DB_PASS.“@".DB_HOST."/".DB_NAME): 


Change the db_user from root to mailwatch 


Change the db_pass so that the password for the database is between 
the quotation marks. It should look something like this once done: 


16. 


( YPE", “mysq ; 
(’DB_USER’, 'mailwatch’ ); 


(’DB_PASS’, ' yeti,’ ) ; 
(’DB_HOST’, ' localhost’); 
(’DB_NAME’, ‘mailscanner’ ); 
ne(’DB_DSN’, DB_TYPE.'://’ .DB_USER."”:"”.DB_PASS."@".DB_HOST."/".DB_NAME); 


The default Quarantine keep setting in MailWatch is set to 30 days. If 
you wish to change this, find it in this configuration file and change it 
now. 


Now find the Paths section of the conf file. Change the value for 
MAILWATCH_HOME to read /var/www/mailscanner 


Now look down a couple of lines and find the MS_LIB_DIR setting and 
change its path to read /usr/share/MailScanner 


Now find the Quarantine Settings. Look for the setting titled 
QUARANTINE_USE_FLAG and change the false to true. 


Once you are done editing this file, press Control-X, press Y and then 
press Enter to save the file. 


Now you have configured the quarantine settings, and you have 
configured the MailWatch so that it can access the local MySQL 
database. 


To make the Quarantine function properly (and not store things 
forever), the quarantine maintenance script needs to be engaged in 
order to work. To accomplish this, you need to execute the following 
commands: 


echo “/usr/local/src/mailwatch-1.0.5/tools/quarantine_maint.php -- 
clean" > /etc/cron.daily/mailwatch_quarantine_maint.sh 


This long single-line command will create a file in the /etc/cron.daily 
folder that is run once daily. 


chmod +x /etc/cron.daily/mailwatch_quarantine_maint.sh 


This command will make that newly created file executable. 


17. To keep the database under control, there is a database cleaning utility 
that also needs to be called daily. 


Enter the command pico /etc/cron.daily/db_clean.sh 


Now add the line, exactly as shown: 


GNU nano 2.0.9 File: /etc/cron.daily/db_clean.sh 


Zusr/bin/php -q /usr/local/src/mailuatch-1.0.5/tools/db_clean.php 


Once this is done, press Control+X and press Y and then press enter to 
save the file. 


Now enter the command: 


chmod +x /etc/cron.daily/db_clean.sh 


And this will make the script executable. 


18. Now we need to correct some paths in the tools themselves in order for 
them to run. This needs to be done manually. 


Enter the command cd /usr/local/src/mailwatch-1.0.5/tools 


Enter the command Is 


In this folder you will see four PHP files listed. Each of these will need to 
be corrected. 
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19. 


Enter the command pico db_clean.php 


Find the line that looks like this: 


require(‘/var/www/html/mailscanner/functions.php’); 


Remove the html in the path so that it looks like this: 


HiHHH AJOS1 CHANGE ####H 
ini_set(’ implicit_flush’ ,'’false’); 


require(’ /var/uuu/mailscanner/functions. php’ );_ 


Press Control+X, press Y and press Enter to save the file. 


Enter the command pico quarantine_report.php and find the line 
labeled require_once(‘/var/www/html/mailscanner/functions.php’); 
and remove the html from that line and save the file. 


Enter the command pico sendmail_relay.php and find the line labeled 
require(“/var/www/html/mailscanner/functions.php”); and remove 
the html from this line and save the file. 


Enter the command pico quarantine_maint.php and find the line 
labeled require(‘/var/www/html/mailscanner/functions.php’); and 
remove the html from this line and save the file. 


Due to the inability of the MailWatch to read certain parts of the 
MailScanner configuration, we need to change the Anti-Virus setting in 
the MailScanner.conf file so that the ClamAV scanner is explicitly 
declared. 


Enter the command pico /etc/MailScanner/MailScanner.conf 


Type Control+W then search for Virus Scanners = Auto and change the 
Auto into clamav 


Once this is done, press Control+X, then press Y and press Enter to save 
the file. 


20. To finish off the basic setup of the MailWatch, we need to finally edit 
the geoip_update.php file so that it loads local databases in addition to 
the default mix. 


Enter the command pico \var\www\mailscanner\geoip_update.php 


Press Control+W and search for dbquery(“LOAD 


The line itself will be quite long, but will start with something like this: 


dbquery(“LOAD DATA INFILE 


Change this line by added the word LOCAL so that it reads like this: 


dbquery(“LOAD DATA LOCAL INFILE 


7/7 Unzip the file (unzip required) 

Sexec = exec('unzip -d temp’ '.$file, Soutput, Sretval): 
if (Sretval==0) f 

7/7 Drop the data from the table 

dbquery("DELETE FROM geoip_country"): 

77 Load the data 


dbquery("LOAD DATA LOCAL INFILE '”.Sbase.’/7’ .§file2."'’ INTO T 
7/7 Done return the number of rows 

echo “Download complete ... “.mysql_result(dbquery("SELECT CO 
audit_log(’Ran GeoIP update’); 

+ else f 


Press Control+X, then press Y and press Enter to save the file. 


126 


Configuring MailScanner to use MailWatch 


As a final part of setting up MailWatch, we need to get MailWatch integrated 


with MailScanner. This done by editing the MailScanner.conf file by hand. 


d; 


Enter the command cd /etc/MailScanner 


Enter the command pico MailScanner.conf 


Press Control+W and search for Quarantine Whole Message 


Change the no on this line to become a yes. 


Press Control+W and search for Always Looked Up Last 


Change the no on this line to &MailWatchLogging 


Now press Control+X, then press Y and press Enter to save the file. 


Now go into Webmin. 


Navigate to Webmin -> Servers -> MailScanner -> What to do with 
spam 


Add the key word store to both the Spam Actions and High Scoring 
Spam Actions. This will cause logging to occur with all spam for 
MailWatch to see. 


An example header could read: 


deliver header “X-Spam-Status: Yes” store 
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10. Reboot the system. 


Once the Installation is complete and the system has restarted, you should be 
able to access the MailWatch program by browsing to: 


http://[piraetfish ip]/mailscanner 


You will then have to log in as the user you created in step 9 of the installation 
section — mailscanner with the password mailscanner. 
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Appendix 


Troubleshooting 


Troubleshooting Linux systems isn’t hard - it’s just very different than 
troubleshooting in Windows. The Webmin program makes configuring Linux 
very easy, but as you can probably guess, there’s a lot of stuff this guide didn’t 
go deep into. There is hope and help available for every piece of your Piratefish. 


The first and most important part of solving problems in the Piratefish is to re- 
read the chapter. This book was created to walk you through creation of the 
Piratefish server, and if the directions are followed as documented, then this 
section shouldn’t be necessary at all. If you performed testing from one section 
to the next, then you should be able to isolate problems to a particular section. 


If you run into problems, the best approach is to carefully re-read the chapter 
to see if anything was missed. Be sure to check all screenshots and descriptions 
— sometimes things are missed in the document that might be hiding in the 


picture. /f you find any, please email the author so it can be corrected! 


Most folks who’ve contacted support with problems end up solving these 
problems by meticulously going over every diagram and instruction, making 
sure that every step was followed. It’s not what I’d call great technical support, 
but reading the instructions is what it’s all about. 


In the process of writing this document, I’ve read and performed every 
instruction provided in order to build my own working systems. It’s not a hard 
process to follow, but it can get tedious. 


If you’re having troubles with the Piratefish at some point during setup, just 
check everything you setup in the chapter of the guide you’re in. That’s really 
the best way to solve problems with this system. Read the manual! 
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Postfix Permissions 


Postfix permissions that were setup in Chapter 6 can be a serious problem after 
installation is complete. If you run into Postfix permissions issues, it’s 
recommend that you log into the Piratefish as root, and issue the command: 


postfix set-permissions 


This will go through the configuration files and make sure that things are talking 


and happy. Please report any problems not solved by this. 
Checking the Piratefish Website 


The Piratefish website gets updates often when necessary. Keep in mind that 
open-source software can change overnight in just one update, and keep a 
written document up to date can be impossible. To counter this, as new 
changes come out, updates to this document will be made and emailed out ona 
regular basis. Updates will also be noted on the website in the Piratefish Tuning 
section of the site. 


Viewing Log Files 


In Linux log files are stored in a directory called /var/log. If you navigate to that 
directory, you can use the cat command to print out the files and see what’s 
going on. If there’s too much to read, using the command less can be nice as it 
offers the ability to scroll up and down with the arrow keys. 


If you find an error message in the logs, you can Google for that error and 
usually find some good help. 


There’s also a nice log viewer built into the Webmin program, but it has its 
limitations. 


This mail system’s log files are: 


/var/log/mail.log all mail logs appear here first 
/var/log/mail.err mail error messages appear here 
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/var/log/mail.warn mail system warnings appear here 


/var/log/mail.info mail logs that aren’t errors or warnings 
/var/log/clamav ClamAV log messages 
/var/log/Webmin Webmin log messages 
/var/log/auth.log Who logged in, when and from what IP 


Linux’s own logs are stored in these files: 


/var/log/dmesg this log contains boot messages 
/var/log/messages this contains all system messages 


Watching live log files 


One neat feature of Linux is commands such as head and tail. Head prints out 
the first 10 lines of a file, and tail prints out the last 20. The specifics of these 
commands can be changed as well, but tail has a feature that’s unique. It can 
follow a file, showing its updates as they happen. 


Type tail -f /var/log/mail.log and press enter. 


Now as your Piratefish processes messages your screen will be updated as these 
things are added to the log — in real time. Once you’re done, just press ctrl-C 
and you'll stop the tail program. 


This capability works really well with multiple consoles or even better with 
multiple SSH sessions. 


Multiple Consoles 


Linux systems support multiple text-mode consoles. Ubuntu has 6 local 
consoles by default. If you've logged into your Linux console, and you need to 
do something else but don't want to lose your place - just switch consoles and 
viola! 


To switch between the consoles available, use the ALT key along with the 


function keys F1 through F6. 
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If this system had a graphical GUI running, then pressing ALT-F1 would result in 
the GUI disappearing, and a text-mode login appearing. Pressing ALT-F7 returns 
to the graphical GUI. This works quite nicely in Ubuntu's workstation releases. 
Most Linux distributions have this ability, although it's slightly different from 
one distribution to another - some use CTRL+ALT+(F1,F2,F3, Etc.) 


Editing text files from the Linux command line 


There are two editors in every modern Linux box. One of them is called VI and 
its probably short for evil. VI is very powerful, but doesn’t work like any 
Windows editor you’ve ever used. Serious Linux power users will learn VI 
because it does a great job. 


The other editor is called Pico (pronounced pee-koh) has a lot of similarities to 
Windows notepad. 


To edit a file, you can type pico filename.txt and press enter. 


At the bottom of the Pico text window a menu of options will appear — the * 
character in front of the various letters represents the control key — so Ctrl-X will 
exit, Ctrl-G shows help, Etc. 


Log Rotation & Compression 


From the Webmin Index, click on the System Logs Tab and then click on the Log 
File Rotation icon. 


In this module, you can control how often and how many logs are kept in your 
Piratefish server. The default log retention time is usually 1 month. If you want 
longer logs, daily rotation and such, you can set it up here. 


Logs can also be compressed when they hit a certain age. Log files are 
compressed using the command GZIP. To read these files, you need to un-gzip 
them using the command gunzip. Once you’re done reading compressed logs, 
it’s a good idea to recompress them using gzip filename.log or whatever. 
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DOS Mode Files versus Linux Mode Files 


During the setup of your Piratefish server, in the editor window there was a box 
that read “DOS Mode” and if you’re not familiar with Linux, you might wonder 
what this is all about. 


In the world of computers, there are two kinds of files. There are binary files 
and text files. Binary files are the databases, the pictures, the programs, video 
and sound files that we all use in our everyday computer lifestyle. Text files are, 
to be blunt, just that — files containing lines of plain old human readable (in 
most cases) text. Though they sound simple, text files are used for XML files, 
HTML files, all configuration files in Linux, most logs, older database formats, 
CSV files, program source code, batch files and scripts, and in some cases, local 


mail storage as well. 


But this is where Linux and DOS diverge. Text files in DOS format use control 
characters within the text file itself — paragraph breaks have a “return” 
character, there are line breaks, end of file markers and so forth. All these 
things are indicated in DOS text files with control characters. 


Linux however takes a completely different approach to this — text files don’t 
contain control characters for new lines and such, they contain special codes 
like “\n”. When you’re editing files on the Piratefish, you’ll never see these 
codes as the editors hide them from you, but they are there in the file when 
viewed in raw form. 


Opening a Linux text file off the Debian Install CD using Windows Notepad 
shows what happens when a Linux file is opened without being converted — the 
file will appear as one huge paragraph. If you look close, you’ll see the “\n” 
markers hiding in the mess. 


A problem can happen in when moving a file from DOS to a Linux environment, 
and it’s because of this that it’s important that all the configuration files in your 
Piratefish are not saved in DOS mode. 
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If you save a file in DOS mode and then type it out from the Linux console using 
the cat command, what you'll see is a file with a lot of “*M” and other 
embedded control characters hiding in it. This is what happens to DOS control 
characters when Linux prints them. These characters, if present in your 
configuration files, will cause headaches. To remove them, just un-click the DOS 
Mode box in the Webmin editor and save the file. 


There are also command-line utilities available for both Windows/DOS and Linux 
that can convert existing files from one format to another. Google for terms like 
fromdos, todos or linux text file conversion to learn more. 


Configuring Trusted Relay IP's for 2-Way Operation 


In some situations you may want to configure your Piratefish server as a two- 
way email relay - relaying email into your network as required, but also working 
as an outbound relay or "smart host" for your networks email delivery. 


In step 6 of chapter 4, instructions are provided that allow you to setup what IP 
addresses are trusted to send email into your Piratefish for delivery. This list of 
IP’s is found in the Webmin -> Postfix Mail Server -> General Options area and 
looks like this in the example setup: 


Local networks © Default (all attached networks) © 
/127.0.0.0/8 [fff 127.0.0.0)/104 [::1]/128 192.168.1.0/24 10.0.0.0/22 | 


If you have a number of in-house servers that need to send email, they can be 
listed here and use the Piratefish to get their mail sent. 


Important Note: Adding networks to this list that are outside of your control 
will make your Piratefish into an open email relay! Spammers love those! 
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Understanding CIDR Network Addressing 


The notation used to describe networks can be confusing to those folks who 
aren’t experienced Internet administrators. Here’s a short guide to 
understanding what you are seeing, when something shows /24 after a network 
IP address. 


This format is called CIDR Notation and is used as shorthand for defining entire 
ranges of IP addresses. CIDR stands for “Classless Inter-Domain Routing”. 


When someone refers to a network 10.0.0.0 with a subnet mask of 
255.255.255.0, this network actually refers to the IP addresses 10.0.0.0, 
10.0.0.1, 10.0.0.2, through 10.0.0.255. In Internet networking, the first and last 
IP addresses are not usable and are reserved — the 10.0.0.0 address is called the 
Network address, and the 10.0.0.255 address is called the Broadcast address. 
The other 254 IP addresses from 10.0.0.1 to 10.0.0.254 are usable valid IP 
addresses on that network. 


When a network engineer refers to this network, they’re not going to want to 
type out 10.0.0.0/255.255.255.0 every time — that’s a lot of typing. Instead, 
they refer to this network as 10.0.0.0/24 — because in binary there are 24 1’s 
bits in the subnet mask 255.255.255.0. 


Each number in an IP address is an 8-bit binary number, shown in decimal form. 
If you want to easily convert between decimal and binary numbers, the 
Windows calculator has a scientific mode that can do these conversions for you. 


The number before the slash refers to the network address itself. The number 
after the slash represents the number of 1's bits contained in the subnet mask 
itself. There are a total of 32 bits in an IPv4 subnet mask. Remember that the 
subnet mask, just like the IP address, is made of four 8-bit numbers that range 
from 0 to 255. 
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If your IP address and subnet mask are 172.16.5.20 and 255.255.0.0, to refer 
this network you'd add in 172.16.0.0/16.This is because there are only 16 1's 
bits in a subnet mask of 255.255.0.0 when it's converted to binary. 


If your IP address is 10.0.0.5 with a subnet mask of 255.0.0.0 and you want to 
trust this entire network, you'd enter 10.0.0.0/8. 


The Subnet Mask defines what part of an IP address is the Network and what 
part is unique to the address. Whenever a system needs to contact another 
system using IP protocols, your computer determines whether or not to route a 
packet based on whether or not the masked part of your IP address matches the 
masked part of the recipients IP address. If the masked areas don’t match, then 
the packet needs to be routed to your default gateway. If the masks match, 
then routing isn’t needed — just figure out what machine as that IP address* and 
send your data over. 


* Figuring out what machine has an IP address is done at Layer-2 using 
something called an ARP (address resolution protocol) packet — this in turn gives 
your machine the MAC address of the computer using that IP. All IP traffic 
happens at Layer-3 of the ISO model. 


If you want to learn more about how all this works, Cisco's CCNA (Cisco Certified 
Network Administrator) certification covers a great deal of how IP networks 
work, how routing works, VLAN's, the ISO stack and more. 


Anyone who administrates computer systems and works with IP addresses 
should read a CCNA study guide, even if you don't have, use or even plan to use 
any Cisco equipment. The CCNA, though somewhat self-serving in Cisco land, is 
a valuable chunk of knowledge that all network administrators should take the 
time to learn. 


IPv4 versus IPv6 
IPv6 is not discussed in this book primarily because it’s both very different and 


very new. It’s used in some networks, but not in most networks — and where it 
is used you'll probably not see it. IPv6 is going to be in our future, and a great 
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many things are going to change when it finally replaces IPv4 as our primarily 
Internet protocol. Things like NAT translation, DHCP, VPN’s, firewalls and 
routing are all going to change. IP addresses are a lot longer too. DNS will be 
your best friend. 


For now, just recognizing IPv6 addresses is good enough — we don’t need to 
work with them yet, but we should start being mindful. 


In IPv4, IP addresses are specifically referred to as being 32-bit addresses. IPv6 
addresses are 128-bits long. This means that the space taken by a single IPv6 IP 
address will be “ABCDEFGHJKLMNOP1234567890QRSTUV” where the bold 
part is the IP address, and the rest is the subnet mask. Compare this to IPv4, 
where “ABCD1234” is all the space on the Internet now. 


In binary, this means there are 256 one’s and zero’s used to make a single IP 
address with its subnet mask. CIDR makes life a little easier when writing stuff 
down, but now seeing bits markers like /104 will be more common as IPv6 is 
used in more networks. 


IPv6 addresses are written as 8 groups of four hexadecimal characters. 


Decimal numbers use the digits 0 through 9 - hexadecimal uses characters 0 
through 9, then A through F. For example, the decimal number 17 is 
represented as the hex number 11, while the number 28 would appear as the 
hex number 1C. 


This means that an IPv6 address could look like this: 


0EB5:12AC:CC1F:0000:0000:0000:9C5B:FFAD 
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Documentation within the Linux environment 


Documentation does exist inside Linux systems, it’s just a little hidden. Here’s 
some help on finding it. 


Man Pages 


The first, oldest and simplest way to learn about something — such as a 
configuration file or program, is to use the man command. To see this in action, 
try typing the command man hosts — you will see the man-page for the 
/etc/hosts file. This works with almost all Linux commands, but it’s not always 
perfect. 


Sometimes in a man page, there will be references to other write-ups for a 
command. For example, at the bottom of the man hosts page there is a SEE 
ALSO section that references resolver(3) and resolver(5). If you type man 
resolver(5) you can see a completely different man-page for a particular 
program or file. 


Note: If something doesn’t have a man page, try searching for it on google with 
the word man — “man printf” for example. 

Info pages 

Man pages do not always have example configurations or provide the help you 
want. The second method to try is the use of the info command. Try the 
command info postfix and see what you get — very similar to the man page. 
Using command-line help 

On the command line itself, many commands support the --help directive. By 
typing something like grep --help you can get a quick page dump that might give 
you what you need. (Don’t forget the shifttPageUp & shifttPagedown keys!) 
/usr/share/doc 


When all else fails, there is a folder where all the various documentation that is 
provided with all these open-source programs is kept. When things aren’t 
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working, when you need something specific about your setup, when you’re not 
seeing the Internet, whatever — this folder can help. 


Type cd /usr/share/doc and then type Is and press enter. 


In this massive directory listing, everything installed on your Piratefish (or any 
Ubuntu Linux system) will have a folder, and inside that folder will be the 
readme files, documentation files, release notes, sample configs, test files, and 
just about anything that comes with the program from it’s author. 


Type cd whiptail and press enter. Type Is and press enter. 


Now type cat README.whiptail and you’ll see that even the most mundane of 
things has it’s documentation here, waiting for you to read more. 


Getting messages into MBOX format 


Thunderbird is a free email client available for Windows, Linux and Mac. It’s an 
alternative to Outlook, provided by the folks who make Firefox. Thunderbird 
stores its messages in MBOX format, and as it happens, comes with the ability 
to read email from Outlook PST files. 


If you have a mailbox that needs conversion to MBOX format so that you can 
extract it for pre-programming your spam filters, try installing Thunderbird and 
running it to import from your Outlook. Just remember to not let it become 
your email client — unless you want to switch. Once it’s done its job, you’ll have 
to dig into the settings folder under your user directory to find your MBOX files. 


At a later time | will append this section with full screenshots showing how this 
works. 


Thunderbird is a free mail client available from Mozilla, and it can be 


downloaded from http://mozillamessaging.com. 


Mozilla can be run on the same computer without interfering with your existing 
email client. Just don’t allow it to become your default mail client. Also, don’t 
tell it your passwords — it will download messages if you let it. All we’re going to 
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do with it is use its ability to import messages from Outlook and create MBOX 
formatted folders. 


Download the Thunderbird client. 
2. Launch the Thunderbird installer. 


It will extract itself and eventually start to the setup wizard. 
3. Click on the Next > button. 


4. On the next screen, you will be presented with a screen like this: 


Setup Type 
Choose setup options 


Choose the type of setup you prefer, then click Next. 


(@ Standard 
Thunderbird will be installed with the most common options. 


© Custom 
You may choose individual options to be installed. Recommended for experienced 
users. 


Use Thunderbird as my default mail application 


Be sure to un-check the box at the bottom — we’re just using this as a 
conversion utility and not as a mail client. 


Click on Next > to continue. 


5. Click on the Install button. 
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6. Once the installation is complete, go ahead and launch Thunderbird. 


7. Once Thunderbird launches, you will be presented with a screen that 
offers to setup your mail account — click on the Cancel button. 


8. You are next asked about system integration — again, uncheck all the 
boxes you see here, as shown; 


i i = 


Use Thunderbird as the default client for: 
E-Mail 


[-] Newsgroups 


Feeds 


Allow Windows Search to search messages 


[1 Always perform this check when starting Thunderbird 


then click on the OK button. 


9. Now click on the Tools menu and choose the Import... option. 


You will be presented with this dialog box: 


This wizard will import mail messages, address book entries, 
preferences, and/or filters from other mail programs and common 
address book formats into Thunderbird. 


Once they have been imported, you will be able to access them from 
within Thunderbird. 


© Import Everything 


or select the type of material to import: 
© Address Books 


@ Mail 
© Settings 


© Eilters 
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Choose only to import Mail. Click on Next > to continue. 


10. Next you will be asked about what program to import from — choose 
Outlook and click on Next > to start the import. 


Import a ——) 


Converting mailboxes from Outlook 
Importing... 


| 
= 
< Back Next > {Cancel 


Depending on how much mail you have, this could take a while. This is 


the part where your mail is being read from your Outlook client and 
being copied into MBOX format folders used by the Thunderbird client. 
Once this process is completed, you may want to remove your other 
mail folders as this could take up more disk space than expected. 
Microsoft’s PST files are compressed and relatively optimized - MBOX 
folders are somewhat human readable, and this means they’II be quite 
large. 


11. Once the import is complete, you’ll be presented with a dialog similar to 
this: 
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a 


Mail was successfully imported from Outlook 


Mailbox Personal Folders, imported 0 messages 

Mailbox Deleted Items, imported 31 messages f 
Mailbox Inbox, imported 1833 messages | 
Mailbox GoDaddy, imported 0 messages 

Mailbox Corrections, imported 0 messages 

Mailbox Old Stuff, imported 1 messages 

Mailbox Maemo, imported 0 messages 

Mailbox Packet Ninjas, imported 0 messages 

Mailbox Fishnet, imported 0 messages 

Mailbox Chris Shrum, imported 29 messages 

Mailbox Outbox, imported 0 messages 

Mailbox Sent Items, imported 99 messages 

Mailbox Drafts, imported 0 messages 

Mailbox RSS Feeds, imported 0 messages 

Mailbox Latest Headlines, imported 6732 messages 

Mailbox Ponular Government Questions from USA.aov. imvorted 


<Back Conee 


Go ahead and click on finish to complete the import process. 


12. Once the import is complete, an Outlook Import folder will be created 
that contains all the folders in your original email setup from Outlook. 
Go ahead and explore the imported messages to make sure your Spam 
and Ham folders were migrated in. 


Once you’ve verified that they’re present and they have your messages 
inside, proceed to the next step. 


13. Open a DOS command prompt by pressing the Windows key and the R 
key. Type CMD and press Enter. 


— 


== Type the name of a program, folder, document, or Internet 
resource, and Windows will open it for you. 


Open: cmd) aa 


| Cancel | | Browse... 


14. Now enter the command dir Spam /s/w 


This will search the hard disk for the newly imported spam folder. 
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Microsoft Windows [Vers 
Copyright <c> 2689 Microsoft “Corporation. All rights reserved. 


iC:\Users\John>dir spam ce" 
Volume in drive C is ACE 


Volume Serial Number is t605- 82C5 


Directory of C:\Users\John\AppData\RoamingNI hunderbird\Prof iles\@5 jnryf@.defaul 
it\Mail\Local Folders\Out look Import.sbd\Personal Folders.shd 


Spam 
1 File<s> @ bytes 
Total Files Lis 
1 Fi @ bytes 
82,221,584,384 bytes 


iC: \Users\John>_ 


15. Once it completes, hopefully your Spam folders location will be 
displayed. Now CD into this folder. 


C:\Wind tem32\cmd, 
Ge C:\Windows\sys a3 2\cr axe 


Microsoft Windows [Version 6.1.7606] 
Copyright <c> 2089 Microsoft Corporation. All rights reserved. 


iC:\Users\John>dir spam /s/u 
Volume in drive C is ACER 
Volume Serial Number is 16@5-82C5 


Directory of C:\Users\John\fppData\RoamingNI hunderbird\Prof iles\@5 jnryf@.defaul 
t\Mail\Local Folders\Outlook Import.sbd\Personal Folders.s 


Spam 
1 File<s> @ bytes 


Total Files Listed: 
1 File<s> ytes 
@ Dir<s> 82,221,584, 384 Botes free 


== 


iC:\Users\John>cd C:\ \John\AppData\RoamingNT hunderbird\Prof iles\@5 jnryf@.def 
jault\Mail\Local Folders\Outlook Import.sbd\Personal Folders.shd, 


Copy and paste can be done within this window easily by editing the 
window properties and enabling Quickedit mode. Once this mode is 
active, you can use the mouse to highlight and select text, then right 
click to copy the selected text, and then one more right click will paste 
it. Combine a couple of these copy and paste commands to get to the 
folder quickly. 


16. Once you’re in the correct folder, you can issue a start . command (be 
sure to include the period) to open a Windows file window on that 
folder. Change the view to include file details, and you'll be presented 


something like this: 


Name 
Action Items 


(| Action Items.msf 
AspenSystems 


Date modified Type Size 


|_| AspenSystems.msf 
C303 

|) 0C303.msF 
Deleted Items 

|) Deleted Items.msf 

|) Drafts 


__] Drafts.msf 


MSF File 
File 
MSF File 
File 


MSF File 


MSF File 2KB 


eBay 
eBay.msf 

(Ham File OKB 

MSF File 

File 258,107 KB 


MSF File 2KB 


Ham.msf 

(Inbox 
Inbox.msf 

(J Junk E-mail 


Junk E-mail.msf 4/24/2010 3:09 PM MSF File 2KB 


In this folder, there are files named Ham and Ham.msf, and each mail 
file has a paired .msf file with it. These msf files are the index files for 
quickly finding messages in the MBOX file — these can be ignored. 


The files you want to upload into your Piratefish will be the Spam and 
Ham files. These will contain the messages in MBOX format. 


These files can be examined by dragging them into an already open 
Notepad window. 
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Virtual Machine Support for your Piratefish 


Cloud computing is the future of computing as we all know it. Cloud computing 
allows us to treat complete working systems as applications, and not as actual 
hardware sitting on the rack. The values of this are enormous — I'll just 
summarize it this way — virtual machines backup and restore faster than physical 
machines, they can move from one server to another without massive 
rebuilding, if they are relatively light-load (not having tons of network or disk 
access at all times) then multiple machines can live together in harmony ona 
single server, they are extremely trivial to backup and restore during scheduled 
maintenance, you save money by having less machines and using less power to 
run them and less cooling for your computer room, they eliminate the need for 
KVM (keyboard+video+mouse) switching in your data center, they increase the 
number of applications and functions that you and your network can support, 
you will almost never be starved for resources or be preventing from trying 
something for lack of hardware and most importantly, they permit you to 
duplicate running systems so that you can perform upgrades or other drastic 
service events without affecting live production systems. 


In this section, | am documenting the installation of VMware’s own VM Tools for 
the Piratefish. | am using VMware as it’s free (I’m using ESXi 3.5 for example) as 
it’s the most popular of all the VM hosting environments out there. If you’re 
using Amazon, Ubuntu, Sun or Microsoft as your virtual machine hosting 
environment, the steps needed to add virtual machine management support 
will be different, but might share some similarities. 


VMware Tools are used exclusively in VMware based environments to provide 
an interface between the VMware server and the virtual machine itself. 
Without these tools installed, each virtual machine running on a VMware server 
functions as an autonomous server-island — separated and unmanageable by 
VMware itself. The advantages of adding these tools are substantial however, 
and should be considered for any virtual machine environment. 


Not convinced? Here are just a few things adding your virtual machine tools to 
your virtual machines will gain you; 
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¢ Nicely stop virtual machines from the console without logging in. 
During an emergency shutdown this prevents corruption of your virtual 
machine. 

¢ Provides faster startup of virtual machines, and permits sequential 
startup scripting to speed your entire environment. 

¢ Migrate virtual machines without hosing up the interfaces. You’ll still 
need to re-IP them... 

¢ Reduce overall server overhead — Linux default timings takes up many 
machine cycles (ticks) to maintain themselves and these timings already 
exist in the server virtual machine OS. Tuning your virtual machine 
leaves much needed resources available for other virtual machines. 

¢ Keep the clock accurate. Virtual machines live in an environment where 
the underlying number of resources is dynamic — this can cause massive 
time drift. Not correcting time can make a mess of things for time- 
sensitive applications like email. 

¢ Enables migration features of V-Motion (and similar) environments. 
One of VMware’s most powerful features is the ability to dynamically 
move a running virtual machine from one server to another when 
resources or situations demand it. Similar features likely exist in all 
virtualized environments — but without the tools installed, these 
features are not likely to work. 

¢ Track virtual machine IP addresses. When you have a lot of virtual 
machines, using a lot of IP addresses, it is actually possible to LOOSE the 
IP of amachine. With the tools installed, the IP addresses of virtual 
machines are visible to the management environment. 


If you’re using some other VM environment, be it Microsoft, Sun or Ubuntu, the 
process may be similar, but not quite the same. 


To install the VMware tools in your Piratefish, it is necessary that a CD-ROM 
device exist in your VM. If you have, at some point removed virtual CD-ROM 
drive used to install the OS in your Piratefish, you will have to shut down your 
VM, edit settings, add a drive (point to an ISO is easiest) then reboot. Note that 
once the VMware tools are installed, you will need to reboot your Piratefish. 
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A. 


2. 


Log into your Piratefish as root. 


From your VMware Infrastructure GUI, right click on your Piratefish VM 


and choose the option Install / Upgrade VMware Tools. 


& [G vmware.zpiratefish.org lakeside.pointswitch.com 


Power On 
Power Off 
Suspend 
Reset 


EB Piratefish 


Shut Down Guest 
Restart Guest 


Snapshot 
Add Permission... 


Open Console 
Send Ctrl+Alt+Del 


Answer Question... 
Report Performance... 


Install/Upgrade VMware Tools 
Edit Settings... 


Rename 
Remove from Inventory 


Delete from Disk 


Click on | OK 


in the dialog box that follows. 


Enter the command mount /dev/cdrom 


Enter the command cd /tmp 


The command Is /media/cdrom will list out the files on in the virtual CD. 


Ctrl+B 
Ctrl+E 
Ctrl+Z 
Ctrl+R 


10. 


Enter the command tar —zxvf /media/cdrom/VM and press the TAB 
key. 


Pressing Tab should mostly complete the rest of the line — the exact 
syntax will change depending on your VMware version — and then 
finally, type tar.gz and now press enter. 


My finished command looks like this: 


root@piratefish:/tmp# Ils /media/cdrom 


root@piratefish:/tmp# tar -zxuf /media/cdrom/UMwareTools-3.5.0-207095.tar .gz 


Once this command is entered correctly, a ton of stuff will scroll by on 
the screen as the archive is unpacked. 


Once the archive has unpacked, enter the command 
cd vmware-tools-distrib 


Enter the command ./vmware-install.pl 


You will be asked a series of questions — just press the enter key to 
respond to all of them and take the default responses. 


The installer will actually compile and run all the needed tools to install 
the VMware tools into your system automatically. Fortunately, the 
default Piratefish setup will included all that’s needed to complete this 
installation using the default answers. 


Once this process has completed, reboot your Piratefish using the 
reboot command. Once it’s back online, you will now see that VMware 
Tools are installed on your Piratefish and the IP address of your 
Piratefish will be visible in the VMware Infrastructure Client. 
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Once the VMware tools are installed, it is recommended after the rebooting 
that you log into your Piratefish and run the command vmware-toolbox. This 
will ensure that all the possible hooks are configured between your Piratefish 
and the VMware server. 


In the future after upgrading your Piratefish using the Ubuntu apt-get dist- 
upgrade command, you might want to get into the habit of running the program 
vmware-config-tools.pl to reconfigure the VMware installation as well and then 
running the vmware-toolbox once again as well, rebooting afterwards. 


To see all the possible vmware commands the VMware Tools have added, just 
type vmware into the command line and press the Tab key a couple of times. 
The line completion options will be presented by Ubuntu for you: 


root@piratefish:~# yvmware- 
unuare-checkum unuare-—tools-—upgrader 
umuare-—conf ig-tools.pl vmnuare-uninstall-tools.pl 


unuare-guestd umuare-user 
unuare-hgfsclient unuare-—umdesched 
unuare-toolbox 

root@piratefish:”~# vmuare- 


150 


Contributing to Open Source 


The software that makes the Piratefish happen is all Open Source software, and 
is protected by licenses such as the GNU public license and other licenses. 


Open Source means that the programmers who went to the trouble to write this 
software have all allowed folks to download and use this software for free. 


Open Source software needs the support of the people using it. 


Here’s a short list of the folks who make the Piratefish possible. They need your 
help to keep their Open Source software free and of the highest quality: 


Module Name Link 

Webmin Richard Lush http://sourceforge.net/users/lushman/ 
MailScanner 

Plugin 

MailScanner Julian Field http:/Awww.sng.ecs.soton.ac.uk/mailscanner/d 


onations.shtml 


SpamAssassin The Apache Software http://www.apache.org/foundation/contributing. 


Foundation html 
ClamAV Clam Anti-Virus Team http:/Awww.clamav.net/donate.html#pagestart 
Webmin Too many to list http:/Awww.webmin.com 
Debian Linux Too many to list http://www.debian.org 
Ubuntu Linux Too many to list http://Awww.ubuntu.com 
Spam Blacklists 


Spam Blacklists are very important to the Piratefish. It is recommended that 
you subscribe to the mailing lists maintained by each different blacklist you use. 
Information regarding those lists can be important to the good continuing 
functioning of your Piratefish server and these lists have very low traffic. 


Donations to the Spam Blacklists is also encouraged as they provide a valuable 
service to the Internet and need financial help to keep operating. Spam 
Blacklists have come under numerous lawsuits by spammers in an attempt to 
shut them down — please keep them alive with your donation. 
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maintained networks and software diligently, gaining years of practical hands- 
on experience at all levels - designing networks and implementing security 
solutions before the Internet was used commercially. 


In 1995 Mr. Silvia began working for a library information systems company 
called CARL Corporation, an early commercial adopter of the Internet. 
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Getting Support 


Support for your Piratefish is included with the purchase of this book. Please 
feel free to contact the author if you run into problems or have any questions 
that aren’t covered in these pages. 


If you need to contact me, | can be reached at johnny@piratefish.org 


| try to answer any and all questions directed my way. If there are any 
omissions or suggestions to improve the Piratefish system, please write me. 


| can also be found using Google Talk. My chat ID is digital.exorcist@gmail.com. 
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